Continuing our series of articles helping business leaders understand cybersecurity threats, we take a look at insecure deserialisation.
What is insecure deserialisation?
According to OWASP: Insecure deserialisation often leads to remote code execution. Even if deserialisation flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
In layman’s terms: Insecure deserialisation is when a website deserialises user-controllable data (information that a user can input or change, such as contact details). This potentially enables an attacker to manipulate serialised objects in order to pass harmful data into the application code.
Now, this can get a bit tricky so let us break it down.
What is serialisation?
Serialisation: Making data flatter into a byte stream so that complex data can be quickly processed and transferred.
Serialisation simplifies processes such as writing complex data into a file, database, or inter-process memory. Serialisation also facilitates transferring complex data over a network between components of an application.
What is deserialisation?
Deserialisation: The process is the opposite of serialisation and restores byte streams to a fully functional replica of the original object, in the exact state as when it was serialised.
How is insecure deserialisation dangerous?
Insecure deserialisation: This typically arises because there is a general lack of understanding of how dangerous deserialising user-controllable data can be. Ideally, user input should never be deserialised at all.
However, deserialisation by websites continues because, in some instances, deserialisation of data from untrusted sources is required. This gives attackers an opportunity to manipulate the serialised data, even before it is serialised, to install harmful data in the application code.
Insecure deserialisation can result in further vulnerabilities, such as privilege excavations, bypass authentication, remote code execution, and denial-of-service attacks. To be effective, measures to prevent insecure deserialisation must be implemented before deserialisation occurs.
How to find and test for insecure deserialisation vulnerabilities
Penetration testing can identify insecure deserialisation vulnerabilities, security misconfiguration, and instances of using components with known vulnerabilities. Contact OmniCyber Security today to find out how pen testing can identify weaknesses in your systems and recommend robust measures to remove them.