Documented standards for secure product development

A downloadable Security Handbook to document our best practices

Download white paper

8. Insecure deserialization

Hostile serialized objects are accepted, resulting in remote code execution.

What it is

Before data is stored or transmitted, bits are serialized so that it can be restored later to the data’s original structure. Reassembling a series of bits back into a file or object is called deserialization.

How it works Data expected to be deserialized can be tampered with while in disk storage or in transit over HTTP/TCP and include malicious code. Issues occur when the application does not verify the data’s source or contents before deserialization.

Two primary types of deserialization attacks:

  1. Object and data structure-related attacks modify application logic, buffer overflows, or remote code execution.

  2. Data tampering attacks use existing data structures but change the content (e.g., for access control related attacks).

Why it’s bad Attackers can build illegitimate objects that execute commands within an infected application.

Countermeasures

  • Use serialization mediums that only permit primitive data types.

  • Do not accept serialized objects from untrusted sources.

  • Implement integrity checks, such as digital signatures.

  • Enforce strict type constraints during deserialization.

  • Isolate running code that deserializes in low privilege environments.

  • Log deserialization failures and anomalies.

  • Restrict incoming and outgoing network connectivity from services or containers with deserialization.

  • Implement alerting and monitoring on suspicious cases for all the countermeasures noted.

Insecure deserialization example

Hostile serialized objects occur from poor handling of the source code.

The source code here does not protect the application from a hacker to push an insecure object into the code, which invokes a malicious action rather than the original intent of the program.

Sample JSON payload

{“$type”:”System.Configuration.Install.AssemblyInstaller.System.Configuration.Install, Version=4.0.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”’
“Path": “file:///c:/somePath/MixedLibrary.dll”)

Source code

// System.configuration.Install.AssemblyInstaller public void set_Path(string value)
{
If (value == null)
{
this.assembly = null;
}
this.assembly = Assembly.LoadFrom(value);
}

Continue to:9. Components with known vulnerabilities