Introduction
Insecure deserialization figures in the position height of the top critical issue reported by owasp.
In this article, I will touch on the fundamentals of insecure deserialization.
Nowadays, modern applications often require the transfer of data for storing or communication with other components.
An application transfers the data in a specific format, and on the other hand, the application that receives the data needs to convert it into the standard format.
Deserialization is the process of converting data that has been serialized into a format that can be read and used by a computer program. Object serialization refers to the opposite, and is the process during which an object is converted into a stream of bytes in order to store or transmit that object.
Insecure deserialization is a vulnerability that can occur when an application deserializes malicious data.
Why this Flaw is interesting?
Insecure deserialization allow attackers to execute arbitrary code on a target system. This can be done by crafting a malicious serialized object and sending it to the target system, which then deserializes it. I
When a website deserializes user-controllable data, this is known as insecure deserialization.
In addition to be critical vulnerability, they hard to defend against.
It is even feasible to replace a serialized object with one of a completely different class.
Surprisingly, regardless of whatever class was expected, objects of any class that is exposed to the website will be deserialized and created.
As a result, unsafe deserialization is frequently referred to as a "object injection" vulnerability.
An exception may be thrown if an object of an unexpected class is used.
However, the harm may have already been done by this point.
Many deserialization-based assaults are accomplished before the deserialization process is complete.
This implies that even if the website's own functionality does not directly interact with the malicious item, the deserialization process might start an attack.
As a result, websites whose logic is based on highly typed languages may be vulnerable to these tactics as well.
How can insecure deserialization flaws emerge?
Insecure deserialization vulnerabilities arise when an attacker is able to modify the serialized data that is being deserialized by the application.
Two primary reason:
- read data from untrusted source.
- read data without verification or sanitization.
This can allow the attacker to inject malicious code that will be executed by the application when it deserializes the data.
Let's take a vulnerable code written in PHP.
<?php
class PHPObjectInjection{
public $inject;
function __construct(){
}
function __wakeup(){
if(isset($this->inject)){
eval($this->inject);
}
}
}
if(isset($_REQUEST['r'])){
$var1=unserialize($_REQUEST['r']);
if(is_array($var1)){
echo "<br/>".$var1[0]." - ".$var1[1];
}
}
else{
echo ""; # nothing happens here
}
?>
The magic method are are special methods that alter PHP's default action when specific operations on an object are done. In order to exploit Insecure deserialization, try to find them in PHP code.
- __wakeup() when an object is unserialized.
- __destruct() when an object is deleted.
- __toString() when an object is converted to a string.
Because PHP supports object serialization, attackers might supply arbitrary serialized strings to a susceptible unserialize() method, leading in the injection of arbitrary PHP object(s) into the application scope.
Let's explain the code.
First we create a class named PHPObjectInjection, then the magic method wakeup that take the parameter "inject' to the eval function.
This is the main function of the code. In order to exploit this code you have to change a little bit the code .
Assign a value to "inject" parameter
public $inject="system('ls');";
In the end of the class I created a new object
$foo = new PHPObjectInjection();
Then I print the value of my serialize object:
echo serialize($foo);
This is the result of the print (serialize object in PHP looks like that).
O:18:"PHPObjectInjection":1:{s:6:"inject";s:13:"system('ls');";}
When the code will call the "wakeup" function it wil execute the injected OS command.
echo $foo->__wakeup();
In Conclusion the best way to protect against deserialization vulnerabilities is to avoid deserializing user input entirely. If you must deserialize user input, take measures to ensure that the data has not been tampered with, and do not use generic deserialization features. Remember that the goal is to prevent deserialization of user input.
In the next article I will explain Insecure deserialization in more details and try to exploit a vulnerable java code.
Top comments (0)