Difference between revisions of "Information leak through serialization"

From OWASP
Jump to: navigation, search
(Examples)
 
(8 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 +
{{Template:Vulnerability}}
 +
{{Template:SecureSoftware}}
  
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
{{Template:SecureSoftware}}
+
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
  
==Overview==
+
==Description==
  
 
Serializable classes are effectively open classes since data cannot be hidden in them.  
 
Serializable classes are effectively open classes since data cannot be hidden in them.  
  
==Consequences ==
+
'''Consequences'''
  
* Confidentiality: Attacker can write out the class to a byte stream in which they can extract the important data from it.  
+
* Confidentiality: Attacker can write out the class to a byte stream in which they can extract the important data from it.  
  
==Exposure period ==
+
'''Exposure period'''
  
* Implementation: This is a style issue which needs to be adopted throughout the implementation of each class.
+
* Implementation: This is a style issue which needs to be adopted throughout the implementation of each class.
  
==Platform ==
+
'''Platform'''
  
* Languages: Java, C++
+
* Languages: Java, C++
 +
* Operating platforms: Any
  
* Operating platforms: Any
+
'''Required resources'''
 
+
==Required resources ==
+
  
 
Any
 
Any
  
==Severity ==
+
'''Severity'''
  
 
High
 
High
  
==Likelihood   of exploit ==
+
'''Likelihood of exploit'''
  
 
High
 
High
  
==Avoidance and mitigation ==
+
Classes which do not explicitly deny serialization can be serialized by any other class which can then in turn use the data stored inside it.
  
* Implementation: In Java, explicitly define final writeObject() to prevent serialization. This is the recommended solution. Define the writeObject() function to throw an exception explicitly denying serialization.
 
  
* Implementation: Make sure to prevent serialization of your objects.
+
==Risk Factors==
  
==Discussion ==
+
TBD
  
Classes which do no explicitly deny serialization can be serialized by any other class which can then in turn use the data stored inside it.
+
==Examples==
 
+
==Examples ==
+
  
 
<pre>
 
<pre>
Line 61: Line 60:
 
</pre>
 
</pre>
  
==Related problems ==
 
  
Not available.
+
==Related [[Attacks]]==
  
==Categories ==
+
* [[Attack 1]]
 +
* [[Attack 2]]
  
[[Category:Vulnerability]]
 
  
[[Category:Environmental Problem]]
+
==Related [[Vulnerabilities]]==
 +
 
 +
* [[Vulnerability 1]]
 +
* [[Vulnerabiltiy 2]]
 +
 
 +
 
 +
==Related [[Controls]]==
 +
 
 +
* Implementation: In Java, explicitly define final writeObject() to prevent serialization. This is the recommended solution. Define the writeObject() function to throw an exception explicitly denying serialization.
 +
* Implementation: Make sure to prevent serialization of your objects.
 +
 
 +
 
 +
==Related [[Technical Impacts]]==
 +
 
 +
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
 +
 
 +
 
 +
==References==
 +
 
 +
TBD
 +
 
 +
[[Category:FIXME|add links
 +
 
 +
In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki>
 +
 
 +
Availability Vulnerability
 +
 
 +
Authorization Vulnerability
 +
 
 +
Authentication Vulnerability
 +
 
 +
Concurrency Vulnerability
 +
 
 +
Configuration Vulnerability
 +
 
 +
Cryptographic Vulnerability
 +
 
 +
Encoding Vulnerability
 +
 
 +
Error Handling Vulnerability
 +
 
 +
Input Validation Vulnerability
 +
 
 +
Logging and Auditing Vulnerability
 +
 
 +
Session Management Vulnerability]]
 +
 
 +
__NOTOC__
 +
 
 +
 
 +
[[Category:OWASP ASDR Project]]
 +
[[Category:Vulnerability]]
 +
[[Category:Environmental Vulnerability]]
 +
[[Category:OWASP_CLASP_Project]]

Latest revision as of 20:22, 20 February 2009

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.



Last revision (mm/dd/yy): 02/20/2009

Vulnerabilities Table of Contents

Description

Serializable classes are effectively open classes since data cannot be hidden in them.

Consequences

  • Confidentiality: Attacker can write out the class to a byte stream in which they can extract the important data from it.

Exposure period

  • Implementation: This is a style issue which needs to be adopted throughout the implementation of each class.

Platform

  • Languages: Java, C++
  • Operating platforms: Any

Required resources

Any

Severity

High

Likelihood of exploit

High

Classes which do not explicitly deny serialization can be serialized by any other class which can then in turn use the data stored inside it.


Risk Factors

TBD

Examples

class Teacher
{
        
        private String name;
        private String clas;
        public Teacher(String name,String clas)
        {
               //...//Check the database for the name and address
                this.SetName() = name;
                this.Setclas() = clas;

        }
}


Related Attacks


Related Vulnerabilities


Related Controls

  • Implementation: In Java, explicitly define final writeObject() to prevent serialization. This is the recommended solution. Define the writeObject() function to throw an exception explicitly denying serialization.
  • Implementation: Make sure to prevent serialization of your objects.


Related Technical Impacts


References

TBD