Deserialization Attack

Description

Deserialization attacks occur when untrusted data is used to construct objects, potentially leading to remote code execution, denial of service, or other malicious actions. Example: Deserializing a crafted payload that includes malicious code to be executed upon deserialization.

Remediation

To prevent deserialization vulnerabilities, take the following actions:

• Avoid deserializing untrusted data whenever possible.
• Use safe deserialization libraries that parovide security features.
• Implement strict input validation and sanitization to ensure that only trusted data is deserialized.
• Use whitelisting techniques to restrict the types of objects that can be deserialized.
• Apply security controls such as application-level sandboxing to limit the impact of a potential deserialization attack.

REST Specific

Spring_boot

Use a secure deserialization library like Jackson with a safe module configuration. Avoid using Java native serialization and enforce strict input validation. Implement a whitelist of allowed classes for deserialization and apply security controls to limit the impact of any exploitation attempts.

Django

Use Django's built-in JSON deserialization mechanisms and avoid custom deserialization code. Implement strict input validation and whitelisting of acceptable object types. Regularly update Django to benefit from security patches.

Flask

Use secure deserialization libraries such as itsdangerous to handle untrusted data. Validate and sanitize inputs before deserialization and avoid using pickle or other unsafe methods. Implement security controls to sandbox deserialization processes.

Nodejs

Use libraries like serialize-javascript and safe-eval to handle deserialization securely. Avoid using eval() or Function() to process deserialized data. Validate all inputs and use a strict schema to define acceptable data structures.

Ruby_on_rails

Use Rails' built-in mechanisms for safe deserialization, such as JSON.parse. Avoid using YAML.load or Marshal.load with untrusted data. Enforce input validation and use a whitelist approach for deserializable classes.

Laravel

Use Laravel's native serialization mechanisms to handle data securely. Avoid using PHP's unserialize() on untrusted data. Validate and sanitize inputs before processing and enforce strict type checks.

Express_js

Use secure libraries for deserialization in Express.js applications. Validate and sanitize all inputs before deserialization and avoid using eval() or other unsafe methods. Implement strict schema validation to ensure only trusted data is processed.

Symfony

Use Symfony's Serializer component securely by validating and sanitizing inputs. Avoid using unserialize() on untrusted data and enforce strict class type whitelisting. Regularly update Symfony components to incorporate security fixes.

Nuxt

Use secure libraries for deserialization in Nuxt.js applications. Validate and sanitize all inputs before deserialization and avoid using unsafe methods like eval(). Implement strict schema validation to ensure only trusted data is processed.

Fastapi

Use Pydantic models in FastAPI to validate and deserialize data securely. Avoid using eval() or other unsafe methods for processing deserialized data. Enforce strict schema validation and regularly update dependencies to benefit from security patches.

Configuration

Identifier: injection/deserialization_attack

Examples

Ignore this check

checks:
  injection/deserialization_attack:
    skip: true

Score

• Escape Severity: HIGH

Compliance

• OWASP: API10:2023

• pci: 6.5.2

• gdpr: Article-32

• soc2: CC6

• iso27001: A.14.2

• nist: SP800-53

• fedramp: SI-10

Classification

• CWE: 502

Score

• CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C
• CVSS_SCORE: 9.8

References

• https://cwe.mitre.org/data/definitions/502.html
  • https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization.html