Difference between revisions of "Deserialization Cheat Sheet"

From OWASP
Jump to: navigation, search
(Beginning a draft of an safe deserialization page)
 
m
Line 4: Line 4:
 
This article is focused on providing clear, simple, actionable guidance for safely deserializing untrusted data in your applications.
 
This article is focused on providing clear, simple, actionable guidance for safely deserializing untrusted data in your applications.
  
==What is Deserialization?==
+
=What is Deserialization?=
  
 
Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object. Today, the most popular data format for serializing data is JSON. Before that, it was XML.
 
Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object. Today, the most popular data format for serializing data is JSON. Before that, it was XML.
Line 10: Line 10:
 
Many programming languages offer a native capability for serializing their objects. These native formats usually offer more features than JSON or XML, including customizability of the serialization process. Unfortunately, the features of these native deserialization mechanisms can be repurposed for malicious effect when operating on untrusted data. Attacks against deserializers have been found to allow denial-of-service, access control, and remote code execution attacks.
 
Many programming languages offer a native capability for serializing their objects. These native formats usually offer more features than JSON or XML, including customizability of the serialization process. Unfortunately, the features of these native deserialization mechanisms can be repurposed for malicious effect when operating on untrusted data. Attacks against deserializers have been found to allow denial-of-service, access control, and remote code execution attacks.
  
The following cheatsheet attempts to dictate safe methodologies for deserializing data that can't be trusted.
+
=Guidance on Deserializing Objects Safely=
 +
The following language-specific guidance attempts to enumerate safe methodologies for deserializing data that can't be trusted.
 +
 
 +
==Java==
 +
The following techniques are all good for preventing attacks against deserialization.
 +
* Use the signing features of a language to assure that deserialized data has not been tainted.
 +
Implementation: When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
 +
Implementation: Explicitly define final readObject() to prevent deserialization.
 +
An example of this is:
 +
 
 +
private final void readObject(ObjectInputStream in)
 +
throws java.io.IOException {
 +
    throw new java.io.IOException("Cannot be deserialized");
 +
}
 +
Implementation: Make fields transient to protect them from deserialization.
 +
Implementation: In your code, override the ObjectInputStream#resolveClass() method to prevent arbitrary classes from being deserialized. This safe behavior can be wrapped in a library like SerialKiller.
 +
Implementation: Use a safe replacement for the generic readObject() method as seen here. Note that this addresses "billion laughs" type attacks by checking input length and number of objects deserialized.
 +
Implementation: Use a Java agent to override the internals of ObjectInputStream to prevent exploitation of known dangerous types as seen in rO0 and NotSoSerial
 +
 
 +
==Python==
 +
 
 +
==Ruby==
 +
 
  
 
= References =  
 
= References =  
 
* [[Deserialization of untrusted data]]
 
* [[Deserialization of untrusted data]]
 +
[http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles]
 +
[http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#websphere]
  
 
= Authors and Primary Editors =
 
= Authors and Primary Editors =

Revision as of 16:11, 17 November 2015

DRAFT CHEAT SHEET - WORK IN PROGRESS

Introduction

This article is focused on providing clear, simple, actionable guidance for safely deserializing untrusted data in your applications.

What is Deserialization?

Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object. Today, the most popular data format for serializing data is JSON. Before that, it was XML.

Many programming languages offer a native capability for serializing their objects. These native formats usually offer more features than JSON or XML, including customizability of the serialization process. Unfortunately, the features of these native deserialization mechanisms can be repurposed for malicious effect when operating on untrusted data. Attacks against deserializers have been found to allow denial-of-service, access control, and remote code execution attacks.

Guidance on Deserializing Objects Safely

The following language-specific guidance attempts to enumerate safe methodologies for deserializing data that can't be trusted.

Java

The following techniques are all good for preventing attacks against deserialization.

  • Use the signing features of a language to assure that deserialized data has not been tainted.

Implementation: When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe. Implementation: Explicitly define final readObject() to prevent deserialization. An example of this is:

private final void readObject(ObjectInputStream in) throws java.io.IOException {

    throw new java.io.IOException("Cannot be deserialized");

} Implementation: Make fields transient to protect them from deserialization. Implementation: In your code, override the ObjectInputStream#resolveClass() method to prevent arbitrary classes from being deserialized. This safe behavior can be wrapped in a library like SerialKiller. Implementation: Use a safe replacement for the generic readObject() method as seen here. Note that this addresses "billion laughs" type attacks by checking input length and number of objects deserialized. Implementation: Use a Java agent to override the internals of ObjectInputStream to prevent exploitation of known dangerous types as seen in rO0 and NotSoSerial

Python

Ruby

References

[1] [2]

Authors and Primary Editors

Arshan Dabirsiaghi - arshan [at] contrastsecurity dot org

Other Cheatsheets

OWASP Cheat Sheets Project Homepage


[[Category:Cheatsheets]]