Web applications are becoming a foundation requirement for any organization as the world moves toward digitization. It is often necessary to send data between web applications in order to store, retrieve and communicate. Since the web applications prepare and send that data in between, the integrity of that data becomes a very crucial part, as it cannot be modified by any untrusted party. Applications should exchange data in the same data format, meaning that they should convert their own data formats into standard data formats before sending data and same applies for standard format to data format. Vulnerability occurs when converting data into its own data format after receiving data which has been de-serialized in an insecure way
Insecure Deserialization is a Vulnerability where an attacker injects the malicious object into the application while transferring serialize data which often leads to Remote Code Execution, Path Traversal, Privilege Escalation, Authentication Bypass and more!. Due to its critical nature, Insecure Deserialization has been ranked 8th on OWASP Web Top Ten list of critical vulnerabilities, which is merged in Software and Data Integrity features in 2021 Draft of OWASP Web Top Ten. To Understand Insecure Deserialization, let’s understand some important concepts.
The process of serializing an object involves converting its data into a format suitable for saving it in a file or database or sending it over the Internet. Serialization of objects can be carried out in binary or string formats depending on the language.
The data has to be shaped in a certain way preprocessed to a byte stream which is what serialization does. Some common serialization formats include XML ,Thrift, YAML and JSON.
The deserialization process is the inverse of serialization. It involves converting serialized data from files, streams, or networks into an object. Basically, deserialization reconstructs the byte stream in the same state as before it was serialized. This conversion is a typical process when done securely.
Insecure Deserialization often occurs when an attacker employs the customizable deserialization processes that many programming languages offer to control them with untrusted input. Unfortunately, the languages presume the data is safe and treat all serialized data structures as validated, thus allowing the insertion of malicious objects.
Now let’s take a classic example to understand this vulnerability, In Grand Theft Auto. In the first mission of the game, the player starts with null cash and full health. If we intercept the request while saving ‘the current state of player in the server, It’ll look like something like this,
UserState = {
UserId : "42312123123",
TimePlayed : "00:21:18",
CashVal : 0 ;
Health : 100 ;
}
The Application sends the user state to a server in serialized JSON format. As the client can modify the value of an object, we change the values. when we reopen the game, the Application fetches the data from a server it’ll load values that we have parsed.
UserState = {
UserId : "42312123123",
TimePlayed : "00:21:18",
CashVal : "74517" ;
Health : 100 ;
}
In this example, we have seen how an attacker can change the value of a serialized object which is reflected in the Game. But what if the application sends serialized parameter that defines the privileges or role of the user? Let’s take another example. The Following Application sends the user ID, device ID and Role in the supercookie using PHP serialization. When deserialized, it results as follows,
Cookie: YTo0OntpOjA7aToxMzI7aToxO3M6NzoicmFtZXNoIjtpOjI6IjIzMjlFRTk4MTY2QUQiczo0OiJpc0FkbWluIjsKYjowO3M6MjI6IkVCRDIyMTQyRDIyMzI5RUU5ODE2NkFEQjg3QTc2QzczIjt9
a:4:{i:0;i:132;i:1;s:7:"ramesh";i:2:"2329EE98166AD"s:4:"isAdmin";
b:0;s:22:"EBD22142D22329EE98166ADB87A76C73";}
Now, if we modify the serialized object b:0 to b:1, which is a boolean value to define if the user is admin or not, and allow us to perform actions with administrator privileges.
a:4:{i:0;i:132;i:1;s:7:"ramesh";i:2:"2329EE98166AD"s:4:"isAdmin";
b:1;s:22:"EBD22142D22329EE98166ADB87A76C73";}
Here, we have seen how Insecure deserialization vulnerability can lead to privilege escalation.
To understand the vulnerability further, let’s look at how serialization and deserialization work in PHP, Python and JavaScript.
Let’s see an example of serialization in PHP.
<?php
class MyObject {
public $name;
public $age;
public $species;
}
$object = new MyObject;
$object->name = "Toby";
$object->age = 25;
$object->species = "Human";
echo serialize($object);
?>
The above code serializes the object and returns the following serialized string which can be sent over the network or can saved in the file.
Python has modules to serialize objects like pickel and josnpickel. The advantage of using JsonPickle over pickle is it can be exported into JSON format using which is both Human and Machine Readable format for Example if the data is stored in the Amazon S3 bucket it can be indexed using Amazon’s Athena.
import os
import pickle
class Exploit(object):
def __reduce__(self):
return (os.system, ('cat /etc/passwd',))
serialized = pickle.dumps(Exploit())
pickle.loads(serialized)
In this example, the malicious Object is serialized in a pickle, this string could now be sent over the network and in pickle.loads(serialized) it takes the serialized data and deserialize it and executes it and If an attacker can modify the serialize variable it can lead to Remote Code Execution
Similar to Grand Theft Auto Example, The following code serialize gameState object to save in server and it can be intercepted and can be modified to execute Malicious Javascript.
PlayerSave= {
username = "0day",
score = 121,
timeSpent = "00:22:21"
}
serialized = JSON.stringify(PlayerSave)
deserialized = JSON.parse(serialized)
document.getElementById("score").innerHTML = deserialized.score;
The ‘serialized’ is now a string that can be sent over the network and ‘deserialized’ is now the same as ‘PlayerSave’.If an attacker can modify the value of “score” which is reflected in the application, this would lead to Cross-Site Scripting(XSS).
Insecure Deserialization can be manually tested by looking at the Application source code or using tools. BurpSuite has a wide range of Extensions to test for Insecure Deserialization. Here are our top picks.
Following is the list of extensions that come in handy while looking for Insecure Desrealization Vulnerabilities with BurpSuite.
Java Deserialization Scanner: Java Deserialization Scanner is a Burp Suite plugin aimed at detect and exploiting Java deserialization vulnerabilities which can be integrated with the active and passive scanner of BurpSuite.
GadgetProbe: This extension augments Intruder to probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on a remote Java classpaths.
PHP Object Injection Check:
This extension adds an active scan check to find PHP object injection vulnerabilities. It passes a serialized PDO object in each insertion point. If PHP tries to unserialize this object a fatal exception is thrown triggered in the object’s __wakeup() method (ext/pdo/pdo_dbh.c).
Freddy, Deserialization Bug Finder: It helps detect and exploit serialization libraries/APIs. It’s Active scanning attempts to detect the use of vulnerable libraries by using Exception Based (Error Based), Time Based and collaborator based.
CVE-2021-39207 | ParlAi is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. In affected versions the package is vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitary code execution |
CVE-2020-4682 | IBM MQ 7.5, 8.0, 9.0, 9.1, 9.2 LTS, and 9.2 CD could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization of trusted data. An attacker could exploit this vulnerability to execute arbitrary code on the system |
CVE-2021-24040 | Unsafe YAML deserialization logic, By modifying local YAML configuration files providing malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0 |
CVE-2021-29781 | IBM Partner Engagement Manager 2.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system |
CVE-2021-21677 | Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability. |
To protect your web application from insecure deserialization, it’s crucial never to pass a serialized object manipulated with untrusted input by the user to the deserialize function. In case you have to accept serialized objects, here are some ways to stop insecure deserialization
Validating User Inputs :
Using validation we can make sure only formatted data is accepted and stored in database. Every input should have validation from where the data is coming. Data can be entered from cookies and forms so, any other input should not be accepted if it varies from form
Deserialization Should be avoided From Untrusted Sources :
While building web application we must always consider more security by restricting access to authenticated and authorized users only. It can reduce the risk at great level. This doesn’t means that authenticated users can’t harm system, but we can track the authenticated users at some extent if something malicious happens.
Assigning Tools to find and fix vulnerability :
Sometimes it becomes heavy task to validate each and every field manually same goes for finding some weaknesses. So, we can employ tools to find and fix the vulnerability. It can reduce our burden a lot. Tool like Klockwork can help us to find vulnerability using static code analysis and proven to be effective in such cases.
Monitoring Deserialization :
Monitoring is involves continuous process. In deserialization monitoring we can check for user who is trying to send request of deserialization of object continuously in less amount of time. Using alerts in these monitoring software’s developers can easily understand from where the breach is happening.
Verification of objects which are serialized :
Here we can implement integrity constraints. They are great way to check and track the changes or modification in object. It is also a good way to maintain quality of object to be serialized. We also can use digital signatures to ensure authenticity of digital messages and documents.
Conclusion
Insecure Deserialization can cause really heavy damage to systems so it’s advised that one must follow all the precautionary guidelines and implement proper prevention techniques before attack happens because Prevention is always better than cure!