This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Top 10-2017 A8-Insecure Deserialization"
From OWASP
(Prepare OWASP Top 10-2017 Release (Content)) |
m (Editorial changes e.g. line feeds, fixed colors) |
||
| Line 24: | Line 24: | ||
<td colspan=2 {{Template:Top_10_2010:SummaryTableRowStyleTemplate|year=2017}}> | <td colspan=2 {{Template:Top_10_2010:SummaryTableRowStyleTemplate|year=2017}}> | ||
<!--- Security Weakness: ---> | <!--- Security Weakness: ---> | ||
| − | This issue is included in the Top 10 based on an <u>[https://owasp.blogspot.com/2017/08/owasp-top-10-2017-project-update.html industry survey]</u> and not on quantifiable data. Some tools can discover deserialization flaws, but human assistance is frequently needed to validate the problem. It is expected that prevalence data for deserialization flaws will increase as tooling is developed to help identify and address it. </td> | + | This issue is included in the Top 10 based on an <u>[https://owasp.blogspot.com/2017/08/owasp-top-10-2017-project-update.html industry survey]</u> and not on quantifiable data.<br/>Some tools can discover deserialization flaws, but human assistance is frequently needed to validate the problem. It is expected that prevalence data for deserialization flaws will increase as tooling is developed to help identify and address it. </td> |
<td colspan=2 {{Template:Top_10_2010:SummaryTableRowStyleTemplate|year=2017}}> | <td colspan=2 {{Template:Top_10_2010:SummaryTableRowStyleTemplate|year=2017}}> | ||
<!--- Impacts: ---> | <!--- Impacts: ---> | ||
| − | The impact of deserialization flaws cannot be overstated. These flaws can lead to remote code execution attacks, one of the most serious attacks possible. The business impact depends on the protection needs of the application and data. </td> | + | The impact of deserialization flaws cannot be overstated. These flaws can lead to remote code execution attacks, one of the most serious attacks possible.<br/>The business impact depends on the protection needs of the application and data. </td> |
{{Top_10_2010:SummaryTableEndTemplate|year=2017}} | {{Top_10_2010:SummaryTableEndTemplate|year=2017}} | ||
| Line 57: | Line 57: | ||
<b>Scenario #2</b>: A PHP forum uses PHP object serialization to save a "super" cookie, containing the user's user ID, role, password hash, and other state: | <b>Scenario #2</b>: A PHP forum uses PHP object serialization to save a "super" cookie, containing the user's user ID, role, password hash, and other state: | ||
| − | {{Top_10_2010:ExampleBeginTemplate|year=2017}}<b> | + | {{Top_10_2010:ExampleBeginTemplate|year=2017}}<b>a:4:{i:0;i:132;i:1;s:7:"<span style="color:red;">Mallory</span>";i:2;s:4:"<span style="color:red;">user</span>"; |
| − | a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user"; | + | i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}</b>{{Top_10_2010:ExampleEndTemplate}} |
| − | i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";} | ||
| − | |||
An attacker changes the serialized object to give themselves admin privileges: | An attacker changes the serialized object to give themselves admin privileges: | ||
| − | {{Top_10_2010:ExampleBeginTemplate|year=2017}}<b | + | {{Top_10_2010:ExampleBeginTemplate|year=2017}}<b> |
| − | a:4:{i:0;i:1;i:1;s:5:"Alice";i:2;s:5:"admin"; | + | a:4:{i:0;i:1;i:1;s:5:"<span style="color:red;">Alice</span>";i:2;s:5:"<span style="color:red;">admin</span>"; |
| − | i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";} | + | i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}</b>{{Top_10_2010:ExampleEndTemplate}} |
| − | |||
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|year=2017|language=en}} | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|year=2017|language=en}} | ||
| Line 71: | Line 68: | ||
* <u>[[Deserialization_Cheat_Sheet|OWASP Cheat Sheet: Deserialization]]</u> | * <u>[[Deserialization_Cheat_Sheet|OWASP Cheat Sheet: Deserialization]]</u> | ||
* <u>[[OWASP_Proactive_Controls#4:_Validate_All_Inputs|OWASP Proactive Controls: Validate All Inputs]]</u> | * <u>[[OWASP_Proactive_Controls#4:_Validate_All_Inputs|OWASP Proactive Controls: Validate All Inputs]]</u> | ||
| − | * <u>[[:Category:OWASP_Application_Security_Verification_Standard_Project#tab=Home|OWASP Application Security Verification Standard | + | * <u>[[:Category:OWASP_Application_Security_Verification_Standard_Project#tab=Home|OWASP Application Security Verification Standard]]</u> |
* <u>[https://speakerdeck.com/pwntester/surviving-the-java-deserialization-apocalypse OWASP AppSecEU 2016: Surviving the Java Deserialization Apocalypse]</u> | * <u>[https://speakerdeck.com/pwntester/surviving-the-java-deserialization-apocalypse OWASP AppSecEU 2016: Surviving the Java Deserialization Apocalypse]</u> | ||
* <u>[https://speakerdeck.com/pwntester/friday-the-13th-json-attacks OWASP AppSecUSA 2017: Friday the 13th JSON Attacks]</u> | * <u>[https://speakerdeck.com/pwntester/friday-the-13th-json-attacks OWASP AppSecUSA 2017: Friday the 13th JSON Attacks]</u> | ||
Latest revision as of 16:57, 1 January 2018
| ← A7-Cross-Site Scripting (XSS) | A9-Using Components with Known Vulnerabilities → |
| Threat Agents / Attack Vectors | Security Weakness | Impacts | |||
|---|---|---|---|---|---|
| App Specific | Exploitability: 1 |
Prevalence: 2 |
Detectability: 2 |
Technical: 3 |
Business ? |
| Exploitation of deserialization is somewhat difficult, as off the shelf exploits rarely work without changes or tweaks to the underlying exploit code. |
This issue is included in the Top 10 based on an industry survey and not on quantifiable data. Some tools can discover deserialization flaws, but human assistance is frequently needed to validate the problem. It is expected that prevalence data for deserialization flaws will increase as tooling is developed to help identify and address it. |
The impact of deserialization flaws cannot be overstated. These flaws can lead to remote code execution attacks, one of the most serious attacks possible. The business impact depends on the protection needs of the application and data. |
|||
|
Is the Application Vulnerable?
Applications and APIs will be vulnerable if they deserialize hostile or tampered objects supplied by an attacker. This can result in two primary types of attacks:
Serialization may be used in applications for:
|
How to Prevent
The only safe architectural pattern is not to accept serialized objects from untrusted sources or to use serialization mediums that only permit primitive data types. If that is not possible, consider one of more of the following:
|
|
Example Attack Scenarios
Scenario #1: A React application calls a set of Spring Boot microservices. Being functional programmers, they tried to ensure that their code is immutable. The solution they came up with is serializing user state and passing it back and forth with each request. An attacker notices the "R00" Java object signature, and uses the Java Serial Killer tool to gain remote code execution on the application server. Scenario #2: A PHP forum uses PHP object serialization to save a "super" cookie, containing the user's user ID, role, password hash, and other state: a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user";
i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
An attacker changes the serialized object to give themselves admin privileges: a:4:{i:0;i:1;i:1;s:5:"Alice";i:2;s:5:"admin"; i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";} |
References
OWASP
External |
| ← A7-Cross-Site Scripting (XSS) | A9-Using Components with Known Vulnerabilities → |
