Deserialization Attack
Description
Deserialization attacks occur when untrusted data is used to construct objects, potentially leading to remote code execution, denial of service, or other malicious actions. Example: Deserializing a crafted payload that includes malicious code to be executed upon deserialization.
Remediation
To prevent deserialization vulnerabilities, take the following actions:
- Avoid deserializing untrusted data whenever possible.
- Use safe deserialization libraries that parovide security features.
- Implement strict input validation and sanitization to ensure that only trusted data is deserialized.
- Use whitelisting techniques to restrict the types of objects that can be deserialized.
- Apply security controls such as application-level sandboxing to limit the impact of a potential deserialization attack.
REST Specific
Spring_boot
Use a secure deserialization library like Jackson with a safe module configuration. Avoid using Java native serialization and enforce strict input validation. Implement a whitelist of allowed classes for deserialization and apply security controls to limit the impact of any exploitation attempts.
Django
Use Django's built-in JSON deserialization mechanisms and avoid custom deserialization code. Implement strict input validation and whitelisting of acceptable object types. Regularly update Django to benefit from security patches.
Flask
Use secure deserialization libraries such as itsdangerous to handle untrusted data. Validate and sanitize inputs before deserialization and avoid using pickle or other unsafe methods. Implement security controls to sandbox deserialization processes.
Nodejs
Use libraries like serialize-javascript
and safe-eval
to handle deserialization securely. Avoid using eval()
or Function()
to process deserialized data. Validate all inputs and use a strict schema to define acceptable data structures.
Ruby_on_rails
Use Rails' built-in mechanisms for safe deserialization, such as JSON.parse. Avoid using YAML.load or Marshal.load with untrusted data. Enforce input validation and use a whitelist approach for deserializable classes.
Laravel
Use Laravel's native serialization mechanisms to handle data securely. Avoid using PHP's unserialize()
on untrusted data. Validate and sanitize inputs before processing and enforce strict type checks.
Express_js
Use secure libraries for deserialization in Express.js applications. Validate and sanitize all inputs before deserialization and avoid using eval()
or other unsafe methods. Implement strict schema validation to ensure only trusted data is processed.
Symfony
Use Symfony's Serializer component securely by validating and sanitizing inputs. Avoid using unserialize()
on untrusted data and enforce strict class type whitelisting. Regularly update Symfony components to incorporate security fixes.
Nuxt
Use secure libraries for deserialization in Nuxt.js applications. Validate and sanitize all inputs before deserialization and avoid using unsafe methods like eval()
. Implement strict schema validation to ensure only trusted data is processed.
Fastapi
Use Pydantic models in FastAPI to validate and deserialize data securely. Avoid using eval()
or other unsafe methods for processing deserialized data. Enforce strict schema validation and regularly update dependencies to benefit from security patches.
Configuration
Identifier:
injection/deserialization_attack
Examples
Ignore this check
checks:
injection/deserialization_attack:
skip: true
Score
- Escape Severity: HIGH
Compliance
OWASP: API10:2023
pci: 6.5.2
gdpr: Article-32
soc2: CC6
iso27001: A.14.2
nist: SP800-53
fedramp: SI-10
Classification
- CWE: 502
Score
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C
- CVSS_SCORE: 9.8