Serialization / Deserialization. What is it? Pic from https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf Deserialization vulns
Not so easy: - Don’t know exact class User webUser = objectMapper.readValue(json_str, User.class); Host webHost = objectMapper.readValue(json_str, Host.class); Deserialization vulns
Not so easy: - Very Complex objects object inside object inside object = Matryoshka - Constructor? Multiple constructors? - Don’t know exact class - Arbitrary objects with classes from client - Call methods - Language features and limitations - etc Deserialization vulns
Node.js node-serialize – How to implement it secure? - Execute methods (insecure implemention) - Use Immediately invoked function expression (just add ()) Deserialization vulns
Java Jackson - Don’t know exact class ? => Not so safe if it’s too wide - Classes with danger stuff in setters https://github.com/mbechler/marshalsec https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/ Deserialization vulns
Java Native Binary - Create then Cast => Any object of known classes You can implement your own before-deserialization type checker Deserialization vulns
Conclusion - We control serialized object - Basic requirements - Set class/object - Call method - Attacks on business logic - Language independent (Ruby, PHP, .NET, etc) Deserialization vulns