Deserialization of untrusted data
Description
Deserialization attacks exploit the process of reading serialized data and turning it back into an object. By constructing malicious objects and serializing them, an adversary may attempt to inject code that is executed upon object construction or exploit mass assignment. Consider safer alternatives such as serializing data in the JSON format and ensure the application specifies exactly which object types are allowed to be deserialized.
Examples
Insecure Code
java
XMLDecoder decoder = new XMLDecoder(inputStream);Secure Code
java
XMLDecoder decoder = new XMLDecoder(inputStream, null, null, new ClassLoader() {
@Override
protected Class<?> loadClass(String name, boolean resolve) throws ClassNotFoundException {
if (!name.equals(NameOfBeanHere.class.getName()) &&
!name.equals(XMLDecoder.class.getName())) {
throw new RuntimeException("Unauthorized deserialization attempt: " + name);
}
return super.loadClass(name, resolve);
}
});Remediation
Use a custom ClassLoader to prevent loading of arbitrary classes when deserializing with XMLDecoder. Only deserialize to the exact object type that is expected and consider creating an intermediary type that can be serialized with only the necessary fields exposed.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0731 |
| Category | Deserialization |
| Severity | HIGH |
| CWE | CWE-502 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | deserialization, insecure deserialization |
| OWASP | A8:2017-Insecure Deserialization, A08:2021-Software and Data Integrity Failures |