This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Deserialization Cheat Sheet"

From OWASP
Jump to: navigation, search
(Beginning a draft of an safe deserialization page)
 
m (Point to the official site)
 
(52 intermediate revisions by 11 users not shown)
Line 1: Line 1:
= DRAFT CHEAT SHEET - WORK IN PROGRESS =
+
__NOTOC__
=Introduction=
+
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
  
This article is focused on providing clear, simple, actionable guidance for safely deserializing untrusted data in your applications.
+
The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]!
  
==What is Deserialization?==
+
Please visit [https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html Deserialization Cheat Sheet] to see the latest version of the cheat sheet.
 
 
Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object. Today, the most popular data format for serializing data is JSON. Before that, it was XML.
 
 
 
Many programming languages offer a native capability for serializing their objects. These native formats usually offer more features than JSON or XML, including customizability of the serialization process. Unfortunately, the features of these native deserialization mechanisms can be repurposed for malicious effect when operating on untrusted data. Attacks against deserializers have been found to allow denial-of-service, access control, and remote code execution attacks.
 
 
 
The following cheatsheet attempts to dictate safe methodologies for deserializing data that can't be trusted.
 
 
 
= References =
 
* [[Deserialization of untrusted data]]
 
 
 
= Authors and Primary Editors =
 
 
 
Arshan Dabirsiaghi - arshan [at] contrastsecurity dot org<br/>
 
 
 
== Other Cheatsheets ==
 
{{Cheatsheet_Navigation}}
 
 
 
<nowiki>[[Category:Cheatsheets]]</nowiki>
 

Latest revision as of 14:06, 15 July 2019

Cheatsheets-header.jpg

The Cheat Sheet Series project has been moved to GitHub!

Please visit Deserialization Cheat Sheet to see the latest version of the cheat sheet.