Insecure Deserialization: Description
Insecure Deserialization: Description
Insecure Deserialization: Description
Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the
logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it
being deserialized. It is in the top 10 of OWASP list.
DESCRIPTION
ATTACK
Vulnerabilities may also arise because deserialized objects are often assumed to be
trustworthy. Especially when using languages with a binary serialization format, developers
might think that users cannot read or manipulate the data effectively. However, while it may
require more effort, it is just as possible for an attacker to exploit binary serialized objects as
it is to exploit string-based formats.
MITIGATION
Ensure that your protection tool has full visibility: avoid protection based on
blacklisting or pattern matching (such as WAF and DAST) because it is not
flexible enough to block unknown threats. RASPs on the other hand enjoy full
visibility.
Prevent remote execution: one of the most frequent and pernicious effects of
Insecure Deserialization is execution of remote code. RASPs wrap your
application to ensure that no remote execution occurs.