OWASP Top Ten 2017 | A8:2017-Insecure Deserialization | OWASP Foundation
Explore the impact, prevalence, and prevention of A8:2017-Insecure Deserialization vulnerability in OWASP Top Ten 2017. Learn how to mitigate remote code execution risks.
Overview
OWASP Top Ten 2017 describes the A8:2017-Insecure Deserialization vulnerability, which involves the exploitation of deserialization flaws in applications and APIs. This vulnerability can lead to remote code execution attacks, making it a serious threat to the security of the application and data. The article provides insights into the impact, prevalence, and detection of deserialization flaws, as well as recommendations on how to prevent such vulnerabilities.
Description
The A8:2017-Insecure Deserialization vulnerability is included in the OWASP Top Ten 2017 based on an industry survey. This vulnerability is not easily exploitable without changes or tweaks to the underlying exploit code. It is often discovered with the assistance of tools, but human validation is frequently required. Deserialization flaws can have a significant impact as they can enable remote code execution attacks. The severity of the impact depends on the protection needs of the application and data.
How to Prevent ?
To prevent the A8:2017-Insecure Deserialization vulnerability, it is recommended not to accept serialized objects from untrusted sources or to use serialization mediums that only permit primitive data types. If this is not possible, implement integrity checks on serialized objects using digital signatures, enforce strict type constraints during deserialization, isolate code that performs deserialization in low privilege environments, log deserialization exceptions and failures, restrict or monitor network connectivity of containers or servers involved in deserialization, and monitor deserialization activities.
Example Attack Scenarios:
Scenario #1: Remote Code Execution on a Spring Boot Application: In this scenario, a React application communicates with Spring Boot microservices by serializing user state and passing it with each request. An attacker discovers the Java object signature and uses a tool called Java Serial Killer to achieve remote code execution on the application server.
Scenario #2: Privilege Escalation in a PHP Forum: In this scenario, a PHP forum utilizes PHP object serialization to store a 'super' cookie containing user information, including the user's ID, role, and password hash. An attacker modifies the serialized object to grant themselves admin privileges, potentially leading to unauthorized access and control over the forum.