Avoid deserializing untrusted data
Summary
The system must not deserialize untrusted data before applying the appropriate integrity checks.
Description
Serialization is the process of transforming an object into a stream of bytes to store or transmit it. This allows saving its state, so that it can be recovered later using deserialization. If an object comes from an untrusted source and is not properly validated before being deserialized, it can lead to deserialization attacks such as object injection.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🟢 |
| Advanced | 🟢 |
References
- CAPEC™-130. Excessive allocation
- CAPEC™-153. Input data manipulation
- CAPEC™-248. Command injection
- CAPEC™-586. Object injection
- CWE™-95. Improper neutralization of directives in dynamically evaluated code ("eval injection")
- CWE™-502. Deserialization of untrusted data
- OWASP TOP 10-A3. Injection
- OWASP TOP 10-A8. Software and data integrity failures
- CERT-J-SER12-J. Prevent deserialization of untrusted data
- PA-DSS-5_2_1. Injection flaws, particularly SQL injection
- SANS 25-15. Deserialization of untrusted data
- SANS 25-18. Use of hard-coded credentials
- PDPO-S1_4. Security of personal data
- HITRUST CSF-10_d. Message integrity
- FedRAMP-CA-3. System interconnections
- FedRAMP-SC-8. Transmission confidentiality and integrity
- ISA/IEC 62443-IAC-1_13. Access via untrusted networks
- OWASP SCP-1. Input validation
- CWE TOP 25-502. Deserialization of untrusted data
- CWE TOP 25-798. Use of hard-coded credentials
- OWASP ASVS-1_5_2. Input and output architecture
- OWASP ASVS-1_14_5. Configuration architecture
- OWASP ASVS-5_5_1. Deserialization prevention
- OWASP ASVS-5_5_3. Deserialization prevention
- OWASP ASVS-5_5_4. Deserialization prevention
- CASA-1_5_2. Input and Output Architecture
- CASA-1_14_5. Configuration Architecture
- CASA-5_5_1. Deserialization Prevention
Vulnerabilities
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.