HIGH deserialization attack

Deserialization Attack Attack

How Deserialization Attack Works

Deserialization attacks exploit the process of converting serialized data back into its original object form. When applications serialize objects, they convert complex data structures into a format that can be stored or transmitted (like JSON, XML, or binary formats). Deserialization reverses this process, reconstructing the original object from the serialized data.

The attack works because many programming languages allow objects to define custom deserialization logic. When malicious data is deserialized, it can trigger arbitrary code execution, memory corruption, or other security vulnerabilities. Attackers craft specially formatted payloads that, when deserialized, execute unintended operations.

Consider a Java application using the ObjectInputStream class. An attacker might send a serialized object that, when deserialized, creates a malicious object with a constructor that executes system commands. The vulnerable code might look like:

public void processRequest(InputStream request) {
    ObjectInputStream ois = new ObjectInputStream(request);
    Object obj = ois.readObject();
    // Process the object without validation
}

Without proper validation, this code is vulnerable to deserialization attacks. The attacker can send a serialized payload that, when deserialized, executes arbitrary code on the server.

Deserialization Attack Against APIs

APIs are particularly vulnerable to deserialization attacks because they often accept serialized data from untrusted sources. Common attack vectors include:

Request bodies containing serialized objects
HTTP headers with serialized authentication tokens
Cookies storing serialized session data
WebSocket messages with serialized payloads

An attacker might exploit a REST API endpoint that accepts serialized Java objects in the request body. The vulnerable endpoint might deserialize user-provided data without validation:

POST /api/process-data HTTP/1.1
Content-Type: application/x-java-serialized-object

[malicious serialized payload]

Real-world examples include the Apache Commons Collections library vulnerability (CVE-2015-3253), which allowed remote code execution through deserialization of malicious gadget chains. Attackers could exploit this by sending crafted payloads that leveraged vulnerable libraries to execute arbitrary commands.

Another example is the Java Spring Framework deserialization vulnerability (CVE-2017-5638), where attackers could execute arbitrary code by sending malicious serialized data to endpoints that used vulnerable Spring components.

middleBrick can detect deserialization vulnerabilities by testing API endpoints for unsafe deserialization practices. The scanner attempts to identify endpoints that accept serialized data without proper validation and checks for common deserialization patterns that could lead to security issues.

Detection & Prevention

Detecting deserialization vulnerabilities requires both static analysis and dynamic testing. middleBrick's API security scanner includes specific checks for deserialization risks:

Content-Type header analysis to identify endpoints accepting serialized formats
Payload structure analysis to detect suspicious serialized data patterns
Library version checks to identify known vulnerable deserialization libraries
Input validation testing to verify proper sanitization of serialized data

Prevention strategies include:

Input Validation: Never deserialize untrusted data. Validate and sanitize all input before processing.
Safe Deserialization: Use safe deserialization libraries and frameworks that provide built-in protections against malicious payloads.
Whitelisting: Only deserialize known, safe object types. Reject any objects that aren't explicitly allowed.
Security Updates: Keep all libraries and frameworks updated to patch known deserialization vulnerabilities.
Network Segmentation: Isolate systems that handle deserialization to limit potential damage from successful attacks.

Code example of secure deserialization:

public void processRequest(InputStream request) {
    // Validate content type
    if (!request.getContentType().equals("application/json")) {
        throw new SecurityException("Invalid content type");
    }
    
    // Use safe deserialization
    ObjectMapper mapper = new ObjectMapper();
    try {
        MySafeObject obj = mapper.readValue(request, MySafeObject.class);
        // Process the object
    } catch (Exception e) {
        // Handle deserialization errors securely
        throw new SecurityException("Deserialization failed");
    }
}

For production APIs, consider implementing a security gateway that inspects and blocks suspicious serialized payloads before they reach your application logic. middleBrick's continuous monitoring can alert you to new deserialization vulnerabilities as they emerge in your API ecosystem.

Frequently Asked Questions

What makes deserialization attacks so dangerous?

Deserialization attacks are particularly dangerous because they can lead to remote code execution, allowing attackers to take complete control of the target system. Unlike injection attacks that might only affect data, deserialization vulnerabilities can compromise the entire application and potentially the underlying server. The attack can bypass many traditional security controls since it exploits the application's normal deserialization functionality.

How can I test my APIs for deserialization vulnerabilities?

You can use middleBrick's API security scanner to automatically test your endpoints for deserialization vulnerabilities. The scanner analyzes your API's attack surface, attempts to identify endpoints that accept serialized data, and checks for common deserialization patterns. For manual testing, review your code for unsafe deserialization practices, check for vulnerable library versions, and use security testing tools that specialize in deserialization attacks. Always test in a controlled environment before deploying to production.