What are Serialization Attacks and How to Prevent Them?
Serialization attacks are lesser-known threat vectors than other sensationalized threat vectors. They are uncommon too as they require a greater level of expertise for attacks to successfully execute. Serialization vulnerabilities, if successfully exploited by attackers, can lead to data breaches and other cyber-attacks. Given its severity and lethality, as well as, the challenges involved in its prevention, serialization attacks feature on the OWASP Top 10 list of app security risks as insecure deserialization.
In this article, we delve further into these attacks and discuss ways to prevent them.
Serialization Attacks: A Deep Dive
Serialization and Deserialization
To understand how these attacks work, it is important to understand the foundation concepts of and the difference between serialization and deserialization.
Serialization is the process wherein complex data structures such as objects and their fields are transformed into ‘flatter’ formats that can be sent and received as a sequential stream of bytes. Programming languages use either binary or string formats to serialize objects. Popular serialization formats include CSV, JSON and XML.
Serialization is a basic function that is necessary in applications for the easy storage and transfer of data. By transforming complex data structures into flatter formats, serialization reduces the data’s disk space and bandwidth and requirements. It is leveraged in web services, databases, and caching servers.
Deserialization is the reverse process wherein the sequential stream of bytes is read and restored to its original data structure. In other words, it is the process by which an object and its fields are recreated in the memory from the serialized form.
Serialization and deserialization, when implemented securely, are powerful processes for storage and data transfer.
What are Serialization Attacks? How Do They Work?
Suppose an attacker sends a serialized object that is compromised/ contains malicious payload (such as modified JSON payload) to an application or an API endpoint hoping that the user will execute the unvalidated, untrusted input inserted into the application by them.
Serialization attacks occur when the user directly deserializes such unvalidated malicious/ hostile data sent by the attacker into the in-memory structure. The attack is successful because the application has an insecure deserialization vulnerability.
In another scenario of a serialization attack, the attacker may intercept serialized objects in transition between two servers when it is not transferred through a tamper-proof, encrypted channel. This could be dangerous if sensitive data is contained in the object, or its fields is serialized.
The attacker leverages the serialization vulnerability to gain access to the applications/ systems/ networks and/or exfiltrate data. These attacks could lead to remote code execution, data compromise, ransomware attacks, access control attacks, DoS attacks, server crashes, authentication bypass, SQL injections, path traversal, and so on
When is an Application Vulnerable to These Attacks?
In today’s highly interconnected IT environment with extensive dependencies, there is a growing number of classes and methods which are difficult to manage. Attackers could use any of these classes and methods to orchestrate an attack. These growing dependencies are a source of serialization vulnerabilities.
If the application naively deserializes all inputs without checks and validation processes in place, it leaves itself open to insecure deserialization. Serialization of sensitive data too leaves the application at a high risk of attacks.
The application may be vulnerable to these attacks even if both endpoints of serialization and deserialization are controlled by the organization. This could happen if the data transmission is not secured by TLS/ SSL protocols which encrypt data in transit.
An application is vulnerable to serialization attacks if it allows attackers to access interfaces where serialized data is loaded. For instance, if web session information is stored in a client cache using cookies, the user has access to the cookie data. The attacker could leverage this access to tamper with cookies, say, changing the access controls and gaining access to the system.
Preventing Serialization Attacks
- Serialization of sensitive data must be avoided. Wherever possible, developers should write class-specific serialization methods to ensure that sensitive fields and internal states are not exposed to the serialization stream.
- Deserialization of input data must be avoided, unless absolutely necessary. Deserialization of untrusted and unvalidated inputs must strictly be avoided. Intelligent Web Application Firewalls (WAFs), digital signatures and other robust security measures must be used to ensure serialized objects have not been tampered with.
- Isolate and run deserialized objects/ code in secure, low-privilege environments.
- Maintain a log with deserialization failures and exceptions.
- Onboard a security solution that combines intelligent automation with the trusted expertise of certified security professionals.
Serialization and deserialization are powerful tools but need to be securely executed to ensure they aren’t counterproductive. Managed, and intuitive security solutions from Indusface use a combination of blacklisting and whitelisting models, profiling, behavior and pattern analytics, intuitive WAF with customized and regularly tuned policies and threat intelligence to harden applications against serialization attacks.