Avoid deserializing untrusted data
Summary
The system must not deserialize untrusted data before applying the appropriate integrity checks.
Description
Serialization is the process of transforming an object into a stream of bytes to store or transmit it. This allows saving its state, so that it can be recovered later using deserialization. If an object comes from an untrusted source and is not properly validated before being deserialized, it can lead to deserialization attacks such as object injection.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- CAPEC™-130. Excessive allocation
- CAPEC™-153. Input data manipulation
- CAPEC™-248. Command injection
- CAPEC™-586. Object injection
- CWE™-95. Improper neutralization of directives in dynamically evaluated code ("eval injection")
- CWE™-502. Deserialization of untrusted data
- OWASP TOP 10-A3. Injection
- OWASP TOP 10-A8. Software and data integrity failures
- NIST Framework-PR_DS-6. Integrity checking mechanisms are used to verify software, firmware and information integrity
- CERT-J-SER12-J. Prevent deserialization of untrusted data
- PA-DSS-5_2_1. Injection flaws, particularly SQL injection
- SANS 25-12. Deserialization of Untrusted Data
- PDPO-S1_4. Security of personal data
- HITRUST CSF-10_d. Message integrity
- FedRAMP-CA-3. System interconnections
- FedRAMP-SC-8. Transmission confidentiality and integrity
- ISA/IEC 62443-IAC-1_13. Access via untrusted networks
- OWASP SCP-1. Input validation
- OWASP MASVS-V6_8. Platform interaction requirements
- CWE TOP 25-502. Deserialization of untrusted data
- OWASP ASVS-1_5_2. Input and output architecture
- OWASP ASVS-1_14_5. Configuration architecture
- OWASP ASVS-5_5_1. Deserialization prevention
- OWASP ASVS-5_5_3. Deserialization prevention
- OWASP ASVS-5_5_4. Deserialization prevention
- CASA-1_5_2. Input and Output Architecture
- CASA-1_14_5. Configuration Architecture
- CASA-5_5_1. Deserialization Prevention
Vulnerabilities
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.