Information leak through serialization

Revision as of 07:53, 26 September 2008 by KirstenS (Talk | contribs)

Jump to: navigation, search

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

Last revision (mm/dd/yy): 09/26/2008

Vulnerabilities Table of Contents

ASDR Table of Contents


A vulnerability is a weakness in an application (frequently a broken or missing control) that enables an attack to succeed. Be sure you don't put [attacks] or [controls] in this category.

  1. Start with a one-sentence description of the vulnerability
  2. What is the problem that creates the vulnerability?
  3. What are the attacks that target this vulnerability?
  4. What are the technical impacts of this vulnerability?

Risk Factors

  • Talk about the factors that make this vulnerability likely or unlikely to actually happen
  • Discuss the technical impact of a successful exploit of this vulnerability
  • Consider the likely [business impacts] of a successful attack


Short example name

A short example description, small picture, or sample code with links

Short example name

A short example description, small picture, or sample code with links

Related Attacks

Related Vulnerabilities

Note: the contents of "Related Problems" sections should be placed here

Related Controls

Note: contents of "Avoidance and Mitigation" and "Countermeasure" related Sections should be placed here

Related Technical Impacts


Note: A reference to related CWE or CAPEC article should be added when exists. Eg:


Serializable classes are effectively open classes since data cannot be hidden in them.


  • Confidentiality: Attacker can write out the class to a byte stream in which they can extract the important data from it.

Exposure period

  • Implementation: This is a style issue which needs to be adopted throughout the implementation of each class.


  • Languages: Java, C++
  • Operating platforms: Any

Required resources




Likelihood of exploit


Avoidance and mitigation

  • Implementation: In Java, explicitly define final writeObject() to prevent serialization. This is the recommended solution. Define the writeObject() function to throw an exception explicitly denying serialization.
  • Implementation: Make sure to prevent serialization of your objects.


Classes which do not explicitly deny serialization can be serialized by any other class which can then in turn use the data stored inside it.


class Teacher
        private String name;
        private String clas;
        public Teacher(String name,String clas)
               //...//Check the database for the name and address
                this.SetName() = name;
                this.Setclas() = clas;


Related problems

Not available.