What is Insecure Deserialization and How Can You Prevent It?

Ayush Parti
August 11, 2022

Insecure deserialization is one of the most dangerous web vulnerabilities for web applications. Exploits from insecure deserialization occur when untrusted user input executes malicious code or abuses the system's logic. This can either manifest itself in the form of a DDoS attack or arbitrary code execution when the data gets deserialized.

Insecure deserialization is a major threat to web applications. It is part of the OWASP Top 10 vulnerabilities list.

In order to properly understand insecure deserialization and how it works, we will first need to understand the terms “serialization” and “deserialization.” 

What is "Serialization" and "Deserialization"?

Serialization is a process of converting an object into a format which can be “encoded” so that it can be saved, transferred or sent over a network. In other words, it is “serialized” into a certain format depending on its type. The serialized object can either be structured text or binary code. XML and JSON are the two most common formats for serialization. 

It is important to note that when data is “serialized” its attributes and key values are intact. 

Deserialization is the opposite of serialization. It involves “unpacking” the serialized information and data into their original state. The deserialization process is where most web applications are prone to issues.

The terms “deserialization” and “serialization” are known by other terms such as “marshalling” or “pickling” by programming languages such as Ruby and Python. In practice, these terms are synonymous. 

Serialization and Deserialization are very frequently used to program data. Most programming languages offer native features to serialize data. As long as the deserialization of objects is safe, it is completely acceptable and routine in software development. However, when untrusted user input begins to be deserialized, this is the area where a system is prone to attack.

How can you safeguard yourselves from such untrusted user input? Well, most programming languages offer a feature where you can customize how deserialization occurs. 

Most programming languages offer the ability to customize deserialization processes. Unfortunately, it’s frequently possible for an attacker to abuse these deserialization features when the application is deserializing untrusted data which the attacker controls. Successful insecure deserialization attacks could allow an attacker to carry out denial-of-service (DoS) attacks, authentication bypasses and remote code execution attacks.

How Does Insecure Deserialization Occur?

Insecure deserialization occurs mainly due to a lack of awareness. Most website owners and businesses do not realize how dangerous deserializing user-generated input can be. As a standard rule, user input should not be deserialized at all. 

That being said, there are instances where companies implement additional checks on deserialized data. Sometimes deserialized objects pass through as being “trustworthy” when they are not. When using programming languages that utilize binary serialization, many developers assume that a hacker would not be able to manipulate information using binary code. The truth is it is very frequently done, and it simply requires more effort. 

Another factor that influences the possibility of insecure deserialization attacks is the number of dependencies of a website (eg.: different libraries having a dependency on other libraries.) This creates a complicated system of assets which becomes increasingly difficult to oversee. Plugging in every hole and predicting where data will be passed through is not realistic. 

Therefore, as stated initially, the rule of thumb is to never trust user-generated input for deserialization. If your network infrastructure accepts deserialized input it is a critical vulnerability and an exploit waiting to happen. Insecure deserialization vulnerabilities have a simple fix, but identifying if this vulnerability exists is essential.

How Can You Identify An Insecure Deserialization Attack?

Identifying insecure deserialization is a straightforward process, whether you do white box or black box testing.

During auditing or conducting a test of your libraries, you should look at the entire deserialization process. The most important process is to analyze all data being passed into the website and try to identify anything that looks like serialized data. Serialized data can be identified relatively easily if you know the format that different languages use, even if it includes primitive data types or complex data structures. Once you identify serialized data, you can test whether you are able to control it.

If you accept serialized objects which are user-generated, you always run the risk of accepting a malicious object into your infrastructure.

What are Some Ways that Objects are Manipulated to Be Harmful?

Something as simple as altering an attribute in a serialized object can open the gate for exploiting deserialization vulnerabilities. Since the object state still contains its initial values and meta-data, the serialized object can be subject to injection of malicious code. This malicious data can be passed on to the website via the deserialization process. The system will simply execute the information present within the packet of data and it will lead to subsequent breach of application security. This is the initial stage of how insecure deserialization leads to a web attack.

Broadly speaking, there are two approaches you can take when manipulating serialized objects. You can either edit the object:

Directly (in its original byte stream form)

or

You can write a script in the corresponding language to create and serialize the new object yourself. It is important to note here that the latter approach is often easier when working with binary serialization formats.

What is the Impact of Insecure Deserialization on A Website?

Insecure deserialization attacks can have huge consequences on websites. Depending on the nature of the attack and the contents of the untrusted input, the password hash of a system can be extracted, digital signatures can be forged, admin privileges can be accessed, and more. It is important to monitor application behavior for unknown threats and have the right measures in place to restrict untrusted sources from interacting with your database in any form.

Final takeaways to Prevent Insecure Deserialization Attacks

In short, there are a few key ways to solve Insecure Deserialization vulnerabilities from an architectural point of view. Apart from obvious measures such as not trusting any user-generated input, here are other cyber security hygiene practices you must keep in mind:

  1. Use language-appropriate formats: Opt for formats such as JSON or YAML as opposed to native binary formats.
  2. Include integrity checks: when possible, include positive validation based on signatures for serialized data. Never trust data that has been provided by the user as it is the most common way this hack can occur.
  3. Ensure that your protection tool provides you with full transparency: Avoid protection based on blacklisting or pattern matching (such as what most WAF's provide) because it is not flexible enough to block unknown threats. A WAF is good to augment your cyber security protocol but not a stand-alone defense.
  4. Completely ban remote code execution: This is one of the most commonly seen effects of Insecure Deserialization. There is no need to enable execution of remote code unless absolutely required.
  5. Heyhack tip: Wrap your application to ensure that no remote execution occurs.

How can I Ensure My Web Apps are Safe from Insecure Deserialization Proactively?

Conducting thorough integrity checks of your website is the only foolproof way to ensure you are safe from insecure deserialization vulnerabilities.

According to OWASP's knowledge base on Insecure Deserialization "Some tools can detect insecure deserialization vulnerabilities, but human assistance is frequently needed to validate the problem. It is expected that prevalence data for deserialization flaws will increase as tooling is developed to help identify and address it."

Penetration testing is a cost-effective way of ensuring your web applications are secure from insecure deserialization vulnerabilities as well as countless other security loopholes. Heyhack provides an automated pen-testing platform that protects your web applications against insecure deserialization and all other OWASP-listed vulnerabilities. Get in touch to know more!

Start pentesting today

Sign up for a free trial for Heyhack and start your first penetration test today.
Our trial is free for 14 days and requires no commitment whatsoever.
Sign Up for a Free TrialBook a Demo

Start your first automated penetration test today

Sign up for a free trial to Heyhack and start your first penetration test within a matter of minutes. You can also book a demo session with one of our security experts that will help you get started.