Difference between revisions of "Information leak through serialization"

From OWASP
Jump to: navigation, search
(Examples)
(Discussion)
Line 41: Line 41:
 
==Discussion ==
 
==Discussion ==
  
Classes which do no explicitly deny serialization can be serialized by any other class which can then in turn use the data stored inside it.  
+
Classes which do not explicitly deny serialization can be serialized by any other class which can then in turn use the data stored inside it.
  
 
==Examples ==
 
==Examples ==

Revision as of 11:13, 16 April 2006



Overview

Serializable classes are effectively open classes since data cannot be hidden in them.

Consequences

  • Confidentiality: Attacker can write out the class to a byte stream in which they can extract the important data from it.

Exposure period

  • Implementation: This is a style issue which needs to be adopted throughout the implementation of each class.

Platform

  • Languages: Java, C++
  • Operating platforms: Any

Required resources

Any

Severity

High

Likelihood of exploit

High

Avoidance and mitigation

  • Implementation: In Java, explicitly define final writeObject() to prevent serialization. This is the recommended solution. Define the writeObject() function to throw an exception explicitly denying serialization.
  • Implementation: Make sure to prevent serialization of your objects.

Discussion

Classes which do not explicitly deny serialization can be serialized by any other class which can then in turn use the data stored inside it.

Examples

class Teacher
{
        
        private String name;
        private String clas;
        public Teacher(String name,String clas)
        {
               //...//Check the database for the name and address
                this.SetName() = name;
                this.Setclas() = clas;

        }
}

Related problems

Not available.

Categories