Difference between revisions of "Information leak through serialization"

From OWASP
Jump to: navigation, search
Line 11: Line 11:
 
==Description==
 
==Description==
  
A vulnerability is a weakness in an application (frequently a broken or missing control) that enables an attack to succeed. Be sure you don't put [attacks] or [controls] in this category.
+
Serializable classes are effectively open classes since data cannot be hidden in them.  
  
# Start with a one-sentence description of the vulnerability
+
'''Consequences'''
# What is the problem that creates the vulnerability?
+
# What are the attacks that target this vulnerability?
+
# What are the technical impacts of this vulnerability?
+
  
 +
* Confidentiality: Attacker can write out the class to a byte stream in which they can extract the important data from it.
  
==Risk Factors==
+
'''Exposure period'''
 +
 
 +
* Implementation: This is a style issue which needs to be adopted throughout the implementation of each class.
 +
 
 +
'''Platform'''
 +
 
 +
* Languages: Java, C++
 +
* Operating platforms: Any
 +
 
 +
'''Required resources'''
 +
 
 +
Any
 +
 
 +
'''Severity'''
 +
 
 +
High
  
* Talk about the [[OWASP Risk Rating Methodology|factors]] that make this vulnerability likely or unlikely to actually happen
+
'''Likelihood of exploit'''
* Discuss the technical impact of a successful exploit of this vulnerability
+
 
* Consider the likely [business impacts] of a successful attack
+
High
 +
 
 +
Classes which do not explicitly deny serialization can be serialized by any other class which can then in turn use the data stored inside it.
 +
 
 +
 
 +
==Risk Factors==
  
 +
TBD
  
 
==Examples==
 
==Examples==
  
===Short example name===
+
<pre>
: A short example description, small picture, or sample code with [http://www.site.com links]
+
class Teacher
 +
{
 +
       
 +
        private String name;
 +
        private String clas;
 +
        public Teacher(String name,String clas)
 +
        {
 +
              //...//Check the database for the name and address
 +
                this.SetName() = name;
 +
                this.Setclas() = clas;
  
===Short example name===
+
        }
: A short example description, small picture, or sample code with [http://www.site.com links]
+
}
 +
</pre>
  
  
Line 45: Line 74:
 
* [[Vulnerability 1]]
 
* [[Vulnerability 1]]
 
* [[Vulnerabiltiy 2]]
 
* [[Vulnerabiltiy 2]]
 
Note: the contents of "Related Problems" sections should be placed here
 
  
  
 
==Related [[Controls]]==
 
==Related [[Controls]]==
  
* [[Control 1]]
+
* Implementation: In Java, explicitly define final writeObject() to prevent serialization. This is the recommended solution. Define the writeObject() function to throw an exception explicitly denying serialization.
* [[Control 2]]
+
* Implementation: Make sure to prevent serialization of your objects.
 
+
Note: contents of "Avoidance and Mitigation" and "Countermeasure" related Sections should be placed here
+
  
  
Line 64: Line 89:
  
 
==References==
 
==References==
Note: A reference to related [http://cwe.mitre.org/ CWE] or [http://capec.mitre.org/ CAPEC] article should be added when exists. Eg:
 
  
* [http://cwe.mitre.org/data/definitions/79.html CWE 79].
+
TBD
* http://www.link1.com
+
* [http://www.link2.com Title for the link2]
+
  
 
[[Category:FIXME|add links
 
[[Category:FIXME|add links
Line 100: Line 122:
  
 
[[Category:OWASP ASDR Project]]
 
[[Category:OWASP ASDR Project]]
 
==Overview==
 
 
Serializable classes are effectively open classes since data cannot be hidden in them.
 
 
==Consequences ==
 
 
* Confidentiality: Attacker can write out the class to a byte stream in which they can extract the important data from it.
 
 
==Exposure period ==
 
 
* Implementation: This is a style issue which needs to be adopted throughout the implementation of each class.
 
 
==Platform ==
 
 
* Languages: Java, C++
 
 
* Operating platforms: Any
 
 
==Required resources ==
 
 
Any
 
 
==Severity ==
 
 
High
 
 
==Likelihood  of exploit ==
 
 
High
 
 
==Avoidance and mitigation ==
 
 
* Implementation: In Java, explicitly define final writeObject() to prevent serialization. This is the recommended solution. Define the writeObject() function to throw an exception explicitly denying serialization.
 
 
* Implementation: Make sure to prevent serialization of your objects.
 
 
==Discussion ==
 
 
Classes which do not explicitly deny serialization can be serialized by any other class which can then in turn use the data stored inside it.
 
 
==Examples ==
 
 
<pre>
 
class Teacher
 
{
 
       
 
        private String name;
 
        private String clas;
 
        public Teacher(String name,String clas)
 
        {
 
              //...//Check the database for the name and address
 
                this.SetName() = name;
 
                this.Setclas() = clas;
 
 
        }
 
}
 
</pre>
 
 
==Related problems ==
 
 
Not available.
 
 
 
 
[[Category:Vulnerability]]
 
[[Category:Vulnerability]]
 
 
[[Category:Environmental Vulnerability]]
 
[[Category:Environmental Vulnerability]]
 
 
[[Category:OWASP_CLASP_Project]]
 
[[Category:OWASP_CLASP_Project]]

Revision as of 08:59, 26 September 2008

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


Last revision (mm/dd/yy): 09/26/2008

Vulnerabilities Table of Contents

ASDR Table of Contents

Contents


Description

Serializable classes are effectively open classes since data cannot be hidden in them.

Consequences

  • Confidentiality: Attacker can write out the class to a byte stream in which they can extract the important data from it.

Exposure period

  • Implementation: This is a style issue which needs to be adopted throughout the implementation of each class.

Platform

  • Languages: Java, C++
  • Operating platforms: Any

Required resources

Any

Severity

High

Likelihood of exploit

High

Classes which do not explicitly deny serialization can be serialized by any other class which can then in turn use the data stored inside it.


Risk Factors

TBD

Examples

class Teacher
{
        
        private String name;
        private String clas;
        public Teacher(String name,String clas)
        {
               //...//Check the database for the name and address
                this.SetName() = name;
                this.Setclas() = clas;

        }
}


Related Attacks


Related Vulnerabilities


Related Controls

  • Implementation: In Java, explicitly define final writeObject() to prevent serialization. This is the recommended solution. Define the writeObject() function to throw an exception explicitly denying serialization.
  • Implementation: Make sure to prevent serialization of your objects.


Related Technical Impacts


References

TBD