Open in app

Sign in

Write

Sign in

Info Sec Helper
2 min readSep 1, 2020

--

Insecure Deserialization :-

Hello all ,

This is my another write up for last bug that I have found.

Bug name :- Insecure Deserialization

Description :-

In computer science, an object is a data structure; in other

words, a way to structure data. Two key concepts make it

easier to understand:

• The process of serialization is converting objects to byte

strings.

• The process of deserialization is converting byte strings

to objects.

If a website use a PHP forum that uses PHP object serialization
to save a “super” cookie, containing the user’s user ID, role,

password hash, and other state:

Example,

Steps to reproduce :-

User -1 :

a:4:{i:0;i:132;i:1;s:7:”user-1”;i:2;s4:”user”;

i3;s32:”b6a8b3bea87fe0e05022f8f3c88bc960”;}

An attacker changes the serialized object to give themselves

Another user privileges:

User -2 :-

a:4:{i:0;i:1;i:1;s:5:”user-2”;i:2;s:5:”user”;

;s32:”b6a8b3bea87fe0e05022f8f3c88bc960”;}

Impact :-

If an attacker is able to deserialize an object successfully, then

modify the object to give himself an admin role, they can serialize

it again. This set of actions could compromise the whole web

application.

Mitigations :-

  • The best way to protect your web application from this type of risk is not to

    accept serialized objects from untrusted sources.
  • • Implementing integrity checks such as digital signatures on any

    serialized objects to prevent hostile object creation or data tampering.

    • Enforcing strict type constraints during deserialization before object

    creation as the code typically expects a definable set of classes.

    • Bypasses to this technique have been demonstrated, so reliance

    solely on this is not advisable.

    • Isolating and running code that deserializes in low privilege

    environments when possible.

    • Logging deserialization exceptions and failures, such as where the

    incoming type is not the expected type, or the deserialization throws

    exceptions.

    • Restricting or monitoring incoming and outgoing network connectivity

    from containers or servers that deserialize.

    • Monitoring deserialization, alerting if a user deserializes constantly.

Thank you for your time ☺

More write up will come soon

Cybersecurity
Bug Bounty
Bug Bounty Tips
Hacking
Ethical Hacking

--

--

Info Sec Helper

Written by Info Sec Helper

181 Followers

Cyber Security Researcher

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams