OWASP insecure deserialization explained with examples

preview_player
Показать описание


Hello and welcome to this exciting tutorial. Today we step up our game with a bug which leads straight to remote code execution. Today’s episode is about insecure deserialization. We are just two steps far away from the end of the OWASP Top 10 vulnerabilities. It’s been a great journey so far, I hope you learned something along the way.

This is the plan for this video:
- Insecure deserialization definition: This where you will learn the key terminologies and concepts behind this vulnerability,
- Examples of insecure deserialization in different programming languages: We will explore simple examples on PHP, Python and JAVA to help you understand how the vulnerability works.
- What is the impact: In this section, you will understand how bad insecure deserialization can be.

- How to exploit it with an example? This is where you will learn to go beyond running tools. You will perform white box testing and build custom code to solve a challenge on OWASP WebGoat.

What is insecure deserialization?
Let’s first understand the whole picture here. When you learn a programming language, the first thing you learn is how to define variables, classes and data structures that best suit your needs. Then, you learn how to manipulate them to achieve your needs. So far, they reside in memory, but sometimes, you need to store their states or share them with other systems. That’s where serialization and deserialization come into play.

What is Serialization?
Let’s say that you are playing with a character in a game. While you see the character on the screen, the software sees and manipulates an object residing in memory.
What if the game wants to store the state of that character in a file or share it with other systems? There should be a way to transform the in-memory object into a stream of bytes which can be easily stored and shared. That is what the process of serialization is all about. When the game performs the serialization of an object, we say that the object is serialized.

What is Deserialization?
Deserialization is the opposite of serialization. In fact, it consists of converting the serialized data into an in-memory representation which the software can then manipulate. Continuing on the previous example, when the game wants to retrieve the state of the serialized character object, it needs to deserialize it first.

What can go wrong here?
When a software deserializes user-controlled data without verification, we call it insecure deserialization. In our game example, an attacker might store a serialized file representing a malicious payload. If the developer doesn’t perform a verification before deserialization, the insecure deserialization will trigger the attacker’s code.

Insecure deserialization impact

A successful attack leads to arbitrary code execution. This means that the impact will damage Confidentiality, Integrity and Availability. However, if the attacker can’t build the right serialized payload, he can still trigger an exception and crash the server, therefore impacting Availability.

Insecure deserialization tools
There are many tools which can assist you when you are hunting for insecure deserialization vulnerabilities. In the case of Java, you can use the Java Deserialization Scanner Burp Suite extension. It allows you to test for different libraries using predefined POP gadget chains. Then, you can use Ysoserial to generate the appropriate payload. However, you noticed how these tools didn’t help much in the previous insecure deserialization WebGoat challenge. Therefore, I think that the most valuable tool for this vulnerability would be a good deal of white box testing, some patience and analysis skills.

Insecure deserialization mitigation
As you might have concluded from what we saw, you should never trust data when you deserialize it. You perform checks on whitelisted classes you expect. This depends on each programming language. For example, Python provides you with the ability to restrict classes. For java, you saw how the WebGoat challenge checks if the serialized data is of type VulnerableTaskHolder. For solutions which don’t depend on a language, think about using data formats like JSON or XML, and use digital signatures. You can find more on that in the owasp insecure deserialization prevention cheat sheet.
Рекомендации по теме
Комментарии
Автор

One of the best videos I seen on this. Big up sir!

andreelyusef
Автор

Wow, awesome video, one of the best out here about deserialization! Especially love that you show how to use it with docker containers, might try it out myself. Subscribed, waiting for more :)

livelia
Автор

Thanks man. Im new to this and this was good for my head! Surprised you've only got 116 likes! Keep it up. thanks

TobMisKwa_Lee
Автор

U already performed white box testing but how about testing insecure deserialization but with completely black box? How u detect the php deserialization and how to discover the classes that been used in the process

robinhood
Автор

Can't we write a vulnerable function by ourselves and serialize it. When it is deserialized doesn't it run the vulnerable function in the serialized code... ?

What I meant is can we override the function of the server and replace it with the serialized vulnerable function

sairam-ljzu
Автор

Great video. So all the vulnerable serialized files which has insecure deserialization will start with ro0AB. How does that works ?

sairam-ljzu
Автор

So you didn't actually show how to detect that a serialization vulnerability. You just provided an app that told you one existed and showed how to exploit it. You should re-do this video and show us the serialized object in Burp. Ideally you would also show how to identify these vulnerabilities in PHP on a site vs just code.

defcon
Автор

First of all, thank you for this great tutorial, I am studing deserialization and it's hard for me since I come from the world of networks .. I have a question I understand the concept but I want to take it to real life cases in my work, how to know when a back end has java or php behind and is vulnerable to deserialization?
I am testing the burpsuite deserialization scanner extension and it works great, do you know if it is possible to do an rce with webgoat in deserialization part?

alegerminal
Автор

hi can you help me? why i cant run that code for webgoat deseriliazation? thanks

amirizwan
join shbcf.ru