Skip to main content

What is serialization and deserialization? | What is insecure deserialization?



What is serialization?

Serialization is the process of converting the state of an object into byte streams to save into the file.

Why do we need Serialization?

Let's take an example of a computer game, when we start the game we get the option to resume it. Now think about, how it's possible that the game starts from where we last left. When we play the game we see the graphics only, but in the computer memory, it's a code running (x-axis 200, y-axis 300). When we stop the game, all the required data from the memory convert into byte streams and save that byte-stream into a file that's called Serialization. When we re-start the game, the byte-stream file is again read by the application, and all the data deserialize again and load all serialized data back into the memory. That's the reason the game resumed from the last we stop.

This is one use case of sterilization and like that there are lots of test cases depending on the application like it can be used for communication from one machine to another, it can be used for transferring information because serialized data are machine-independent.

Serialized data can be stored in files, databases, and memory.

What is deserialization?

Deserialization is the reverse process of serialization. It's the process of reconstructing the object from the serialized state.


What is an object?

In simple words, the object in the OOPs concept is a container that can hold the variables defined in its corresponding class and used to perform functions specified in its class.
We create an object for calling the methods or variables from different classes. 

Example of Java object:

In this scenario, I have created a class "Lazyhacker22 " in which I have defined the variable "String url"

Lazyhacker22.java

import java.io.Serializable;  
public class Lazyhacker22 implements Serializable{   
 String url;  
 public Lazyhacker22(String url) {    
  this.url = url;  
 }  
}

Now I want to use the variable of the "Lazyhacker22" class in the "serialization" class. To do this I have to create an object in the "serialization" class.

serialization.java

import java.io.FileOutputStream;
import java.io.ObjectOutputStream;    
class serialization{    
 public static void main(String args[]){    
  try{    
  //Creating the object    
  Lazyhacker22 s1 =new Lazyhacker22("lazyhacker22.blogspot.comm");    
  //Creating stream and writing the object    
  FileOutputStream fout=new FileOutputStream("serialized_out.txt");    
  ObjectOutputStream out=new ObjectOutputStream(fout);    
  out.writeObject(s1);    
  out.flush();    
  //closing the stream    
  out.close();    
  System.out.println("success");    
  }catch(Exception e){System.out.println(e);}    
 }    

Deserialization.java

import java.io.FileInputStream;
import java.io.ObjectInputStream;  
class deserialization{  
 public static void main(String args[]){  
  try{  
  //Creating stream to read the object  
  ObjectInputStream in=new ObjectInputStream(new FileInputStream("serialized_out.txt"));  
  Lazyhacker22 s=(Lazyhacker22)in.readObject();  
  //printing the data of the serialized object  
  System.out.println("Deserialization Done");
  System.out.println(s.url);  
  //closing the stream  
  in.close();  
  }catch(Exception e){System.out.println(e);}  
 }  
}  

Example of serialized and deserialized data:

Here, I have serialized "lazyhacker22.blogspot.com" string and saved the byte-stream in "serialized_out.txt" file.



Here, I have deserialized the byte-stream file "serialized_out.txt" and read the output.


How the serialized file looks like in notepad




How the serialized file looks like in HEX Editor


What is serialization vulnerability or insecure deserialization?

Deserialization vulnerability is a security vulnerability that occurs when a malicious user or attacker modified the serialized object in order to compromise the system or data and the system deserialized it without any integrity check. This may cause DOS, code execution, etc.
In a web application, insecure deserialization is when the user-controllable data is serialized by the application, and the serialized data is deserialized by the web application without verifying the user input.

How to prevent insecure deserialization?

  • Do not accept serialized objects from untrusted sources like users.
  • Use integrity checks on serialized data before deserialization. You can use a digital signature or any other integrity check.
  • Use encryption on serialized data.
  • Run deserialized code in low privilege.
  • Create a log for deserialization exceptions or failures.
  • Use WAF
  • Restricting or monitoring incoming and outgoing network connectivity from servers where deserialization takes place.
  • Limit the JVM access on the server to reduce the attack scope.
  • Open-source libraries should be up to date.
  • Secure coding practice.
Note: The vulnerability arises in Java deserialization because in the serialized file the type of object is stored to be deserialized. To fix this issue, we need to do whitelisting and only allow Java the deserialize classes that we want. You need to override the ObjectInputStream Class so that when checking the type of an object it only allows specific classes. This doesn't fix the bad code. If you execute a command from a serialized class, in the readObject this won’t help you. Be careful with what you do with serializable objects.
Labels:

Comments

Post a Comment

Popular posts from this blog

Free Cybersecurity Certifications

Introduction to Cybersecurity Cybersecurity Essentials Networking Essentials Android Bug Bounty Hunting: Hunt Like a Rat Ethical Hacking Essentials (EHE) Digital Forensics Essentials (DFE) Network Defense Essentials (NDE) Introduction to Dark Web, Anonymity, and Cryptocurrency AWS Skill Builder Introduction to Cybersecurity Building a Cybersecurity Toolkit Cyber Aces Free Cyber Security Training Course Introduction to Information Security Penetration Testing - Discovering Vulnerabilities
Post a Comment
Read more

Web Application Security Testing (WAPT) Interview Questions

Let's Contribute All Together For Creating a Questions Dump What are the vulnerabilities you have to test in the Login form, Payment gateway? What is clickjacking? What is the mitigation of clickjacking? What is CSRF? How to mitigate CSRF? Let's take an example, If a developer implements a CSRF token in a cookie, will it mitigate the CSRF issue? Is it possible to mitigate the CSRF by header? If yes why, if No why? If the data is in JSON format, how you will check the CSRF issue and what are the ways of exploitation? Where to implement the CSRF token and why? If the client doesn't want to change the UI or doesn't want to implement the CSRF tokens, and headers then what mitigation you recommended to the client for CSRF? What is the problem with the per-request token? Is login CSRF possible? Explain login CSRF? Have you ever exploited it? What is the mitigation for login CSRF? Suppose, in an application csrf token is implemented in each request and every request, except th
Post a Comment
Read more

Is your webcam exposed on the internet and everyone enjoying your personal moments? | How to check webcam or security camera is exposed on the internet or not?

Nowadays we start using many technology devices in our homes. Many people are installing CCTV or security cameras in their houses, private rooms, offices, private places, etc for security purposes and monitoring, but many of them don't know how to configure that device securely. So let's talk about CCTV and security cameras only.  What do most CCTV/Security camera users believe? Most users believe that using a strong username and password on a camera administrative page protects them. (Partially true in the case of online cameras) Example: Why it is partially true? It's partially true because you are protecting only the camera administrative page which is also an important part. Still, you are not protecting the protocol used to control streaming media servers (Real-Time Streaming Protocol ( RTSP )). I have seen many online webcams whose administrative page is secured by strong credentials, but they forget to secure the RTSP protocol which gives me access to the streaming
Post a Comment
Read more