DEV Community

Cover image for Insecure Deserialization For Beginners
Nathan
Nathan

Posted on • Edited on

6 5

Insecure Deserialization For Beginners

Introduction

Insecure deserialization figures in the position height of the top critical issue reported by owasp.

In this article, I will touch on the fundamentals of insecure deserialization.

Nowadays, modern applications often require the transfer of data for storing or communication with other components.

An application transfers the data in a specific format, and on the other hand, the application that receives the data needs to convert it into the standard format.

Deserialization is the process of converting data that has been serialized into a format that can be read and used by a computer program. Object serialization refers to the opposite, and is the process during which an object is converted into a stream of bytes in order to store or transmit that object.

Image description

Insecure deserialization is a vulnerability that can occur when an application deserializes malicious data.

Why this Flaw is interesting?

Insecure deserialization allow attackers to execute arbitrary code on a target system. This can be done by crafting a malicious serialized object and sending it to the target system, which then deserializes it. I
When a website deserializes user-controllable data, this is known as insecure deserialization.
In addition to be critical vulnerability, they hard to defend against.

It is even feasible to replace a serialized object with one of a completely different class.
Surprisingly, regardless of whatever class was expected, objects of any class that is exposed to the website will be deserialized and created.
As a result, unsafe deserialization is frequently referred to as a "object injection" vulnerability.
An exception may be thrown if an object of an unexpected class is used.
However, the harm may have already been done by this point.
Many deserialization-based assaults are accomplished before the deserialization process is complete.
This implies that even if the website's own functionality does not directly interact with the malicious item, the deserialization process might start an attack.
As a result, websites whose logic is based on highly typed languages may be vulnerable to these tactics as well.

How can insecure deserialization flaws emerge?

Insecure deserialization vulnerabilities arise when an attacker is able to modify the serialized data that is being deserialized by the application.
Two primary reason:

  • read data from untrusted source.
  • read data without verification or sanitization.

This can allow the attacker to inject malicious code that will be executed by the application when it deserializes the data.

Let's take a vulnerable code written in PHP.



<?php 
    class PHPObjectInjection{
        public $inject;
        function __construct(){
        }
        function __wakeup(){
            if(isset($this->inject)){
                eval($this->inject);
            }
        }
    }
    if(isset($_REQUEST['r'])){  
        $var1=unserialize($_REQUEST['r']);
        if(is_array($var1)){
            echo "<br/>".$var1[0]." - ".$var1[1];
        }
    }
    else{
        echo ""; # nothing happens here
    }
?>


Enter fullscreen mode Exit fullscreen mode

The magic method are are special methods that alter PHP's default action when specific operations on an object are done. In order to exploit Insecure deserialization, try to find them in PHP code.

  1. __wakeup() when an object is unserialized.
  2. __destruct() when an object is deleted.
  3. __toString() when an object is converted to a string.

Because PHP supports object serialization, attackers might supply arbitrary serialized strings to a susceptible unserialize() method, leading in the injection of arbitrary PHP object(s) into the application scope.

Let's explain the code.
First we create a class named PHPObjectInjection, then the magic method wakeup that take the parameter "inject' to the eval function.
This is the main function of the code. In order to exploit this code you have to change a little bit the code .
Assign a value to "inject" parameter
public $inject="system('ls');";

In the end of the class I created a new object
$foo = new PHPObjectInjection();
Then I print the value of my serialize object:
echo serialize($foo);

This is the result of the print (serialize object in PHP looks like that).
O:18:"PHPObjectInjection":1:{s:6:"inject";s:13:"system('ls');";}

When the code will call the "wakeup" function it wil execute the injected OS command.
echo $foo->__wakeup();

Image description

In Conclusion the best way to protect against deserialization vulnerabilities is to avoid deserializing user input entirely. If you must deserialize user input, take measures to ensure that the data has not been tampered with, and do not use generic deserialization features. Remember that the goal is to prevent deserialization of user input.
In the next article I will explain Insecure deserialization in more details and try to exploit a vulnerable java code.

Image of Timescale

Timescale – the developer's data platform for modern apps, built on PostgreSQL

Timescale Cloud is PostgreSQL optimized for speed, scale, and performance. Over 3 million IoT, AI, crypto, and dev tool apps are powered by Timescale. Try it free today! No credit card required.

Try free

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Immerse yourself in a wealth of knowledge with this piece, supported by the inclusive DEV Community—every developer, no matter where they are in their journey, is invited to contribute to our collective wisdom.

A simple “thank you” goes a long way—express your gratitude below in the comments!

Gathering insights enriches our journey on DEV and fortifies our community ties. Did you find this article valuable? Taking a moment to thank the author can have a significant impact.

Okay