The Dangerous Vulnerability of Insecure Deserialization: How Attackers Exploit it and How to Protect Your Applications

Sanaullah Aman Korai
6 min readMar 17, 2023
Insecure Deserialization (Courtesy Portswigger)

In today’s digital age, where businesses rely heavily on technology to streamline their operations and offer their services online, security has become a top priority. Every organization that operates online must ensure that its systems are secure, and that data is protected from unauthorized access, tampering, or theft. However, as the number of connected devices and the amount of data they generate continue to grow, so do the vulnerabilities in the systems that process and store that data. One such vulnerability is insecure deserialization, which can have serious consequences for businesses and their customers.

Insecure deserialization is a vulnerability that arises when a program fails to validate data that is received from an untrusted source. Deserialization is the process of converting data that has been serialized (converted to a format that can be easily stored or transmitted) back into its original form. This process is used in many applications to save and load data, to communicate between different applications, and to store data in databases. However, if the data is not validated before it is deserialized, it can be manipulated to cause the program to execute arbitrary code or to perform other malicious actions.

To understand the danger of insecure deserialization, let’s take a look at an example. Imagine that you are running an e-commerce website that allows customers to place orders and pay online. When a customer places an order, the details of the order are serialized and sent to the server for processing. The server then deserializes the data and adds the order to the database.

Now, suppose that an attacker intercepts the data sent from the customer and manipulates it before sending it to the server. For example, the attacker could add some malicious code to the serialized data that would be executed when the data is deserialized. This code could be used to steal sensitive information from the server, to delete or modify data in the database, or to perform other malicious actions.

The consequences of insecure deserialization can be severe. In addition to theft of data or denial of service attacks, it can also lead to the execution of arbitrary code, which could result in the complete compromise of a system. This could allow an attacker to gain full access to the system, to escalate privileges, to install malware, or to use the compromised system as a launching point for further attacks.

Now that we understand the danger of insecure deserialization, let’s look at some practical scenarios where this vulnerability can be exploited.

Exploiting Insecure Deserialization in Java

Java is a widely used programming language that is often used in enterprise applications. In Java, serialization and deserialization are performed using the ObjectInputStream and ObjectOutputStream classes. When a Java object is serialized, its data is converted into a binary stream of data that can be transmitted or stored. When the binary data is received, it is deserialized back into a Java object.

Insecure deserialization in Java can be exploited by sending a malicious serialized object to the server. This object can contain code that will be executed when the object is deserialized. For example, an attacker could include a serialized object that contains a command to delete files from the server.

To prevent this type of attack, Java applications should validate the serialized data before deserializing it. This can be done by using a whitelist of allowed classes or by using a custom deserialization method that validates the data before creating the object.

Exploiting Insecure Deserialization in PHP

PHP is a popular server-side scripting language that is used to create dynamic websites and web applications. In PHP, serialization and deserialization are performed using the serialize() and unserialize() functions. These functions convert PHP variables into a string representation that can be transmitted or stored. When the string is received, it is unserialized back into a PHP variable.

Insecure deserialization in PHP can be exploited by sending a malicious string to the server that contains code that will be executed when the string is unserialized. For example, an attacker could include a serialized string that contains a command to execute arbitrary code on the server.

To prevent this type of attack, PHP applications should validate the unserialized data before using it. This can be done by using a whitelist of allowed classes or by using a custom unserialize() function that validates the data before creating the object.

Exploiting Insecure Deserialization in JSON

JSON (JavaScript Object Notation) is a lightweight data interchange format that is used to transmit data between different applications. In JSON, serialization and deserialization are performed using the JSON.stringify() and JSON.parse() functions. These functions convert JavaScript objects into a string representation that can be transmitted or stored. When the string is received, it is parsed back into a JavaScript object.

Insecure deserialization in JSON can be exploited by sending a malicious JSON string to the server that contains code that will be executed when the string is parsed. For example, an attacker could include a JSON string that contains a command to execute arbitrary code on the client-side.

To prevent this type of attack, JSON applications should validate the parsed data before using it. This can be done by using a whitelist of allowed classes or by using a custom parse() function that validates the data before creating the object.

Exploiting Insecure Deserialization in XML

XML (Extensible Markup Language) is a markup language that is used to store and transmit data. In XML, serialization and deserialization are performed using the XmlSerializer and XmlDeserializer classes. When an object is serialized, its data is converted into an XML document that can be transmitted or stored. When the XML document is received, it is deserialized back into an object.

Insecure deserialization in XML can be exploited by sending a malicious XML document to the server that contains code that will be executed when the document is deserialized. For example, an attacker could include an XML document that contains a command to execute arbitrary code on the server.

To prevent this type of attack, XML applications should validate the deserialized data before using it. This can be done by using a whitelist of allowed classes or by using a custom deserialization method that validates the data before creating the object.

Exploiting Insecure Deserialization in REST APIs

REST (Representational State Transfer) APIs are used to create web services that can be accessed over the internet. In REST APIs, serialization and deserialization are performed using the JSON or XML formats. When data is sent to the server, it is serialized into the appropriate format. When data is received from the server, it is deserialized back into the appropriate format.

Insecure deserialization in REST APIs can be exploited by sending a malicious JSON or XML string to the server that contains code that will be executed when the string is parsed. For example, an attacker could include a JSON or XML string that contains a command to execute arbitrary code on the server.

To prevent this type of attack, REST API applications should validate the parsed data before using it. This can be done by using a whitelist of allowed classes or by using a custom parse() function that validates the data before creating the object.

In conclusion, insecure deserialization is a serious vulnerability that can be exploited in many different programming languages and formats. It can allow attackers to execute arbitrary code, steal data, or perform other malicious actions. To prevent this type of attack, applications should validate the serialized or deserialized data before using it. This can be done by using a whitelist of allowed classes, by using a custom serialization or deserialization method, or by using other validation techniques. By taking these precautions, businesses can help protect their systems and their customers from the dangers of insecure deserialization.

--

--