Skip to main content

Insecure deserialization

Description

The system deserializes objects without first validating their content nor casting them to a specific type.

Impact

Enable to control the application execution flow.

Recommendation

Validate the incoming serialized objects and only deserialize them if they meet expected properties.

Threat

Authenticathed attacker from the Internet.

Expected Remediation Time

⌚ 30 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:X
  • Score:
    • Base: 3.7
    • Temporal: 3.5
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

Verify the expected type of the input before starting a serializer

public class XmlSerializerTestCase : Controller {
public ActionResult unsecuredeserialization(HttpRequest typeName) {
ExpectedType obj = null;
XmlSerializer serializer = new XmlSerializer(typeof(ExpectedType));
}
}

Non compliant code

Input data is not correctly sanitized

public class XmlSerializerTestCase : Controller {
public ActionResult unsecuredeserialization(HttpRequest typeName) {
Tpe t = Type.GetType(typeName);
XmlSerializer serializer = new XmlSerializer(t);
XmlSerializer serializer = new XmlSerializer(Type.GetType(typeName));
}
}

Example that does not specify type name in the serializer

using Newtonsoft.Json;

public class ExampleClass{
public void ExampleClass(){
var Settings = new JsonSerializerSettings();
Settings.TypeNameHandling = TypeNameHandling.All;
}
}

Requirements