March 05, 2019

OWASP Insecure Deserialization Vulnerability


Insecure Deserialization is a web application vulnerability, which is used against the logic of the application with untrusted data and resulted in DOS (Denial of Service) attack, even malicious code execution which secured the 8th spot in WOASP top 10.

Before understanding the vulnerability we must know what serialization and deserialization are.

Serialization is the process of converting an object into a format which can persist inside a disk or database. Which can be sent data stream (stdout), sent over a network communication. The serialized format can be binary or structured text. Mostly JSON and XML formats are being used by the web application for serializing an object.

Deserialization is completely the opposite procedure of serialization where serialized data coming from files, streams, network socket and transform into an object.

In current situation, web application frequently uses serialization and deserialization processes even some application provides native features to specially serialize the object into JSON or XML format to provide more flexibility in term of platform independence. Still, it is taken as a safe practice while serializing and desterilizing object in the field of application development. But the problem arises when untrusted user input is being desterilized and getting the destructive output like Denial of Service, Privilege escalation or arbitrary code execution.

The following python example can be taken as an example of insecure deserialization. In python, the native module for serialization and deserialization is called pickle. This example will serialize the exploit to run whoami command and desterilize it with pickle.load().

# Import dependencies

import os
import _pickle
# Attacker prepares exploit that application will insecurely deserialize

class Exploit(object):
def __reduce__(self):
return (os.system, ('whoami',))

# Attacker serializes the exploit

def serialize_exploit():
shellcode = _pickle.dumps(Exploit())
return shellcode

# Application insecurely deserializes the attacker's serialized data

def insecure_deserialization(exploit_code):
if __name__ == '__main__':

# Serialize the exploit
shellcode = serialize_exploit()

# Attacker's payload runs a `whoami` command


Now it will be easy to understand in the context of a web application. If you have no other choice but has to use the native serialization format like python pickle. It will be always a good practice to never desterilize the data which is directly travelled over a network or coming from a data source which not controlled by your application. For printing, this vulnerability one must use the language-agnostic method for deserialization.


Post a Comment