Insecure Deserialization
Impact: High
Description
Insecure deserialization occurs when an application deserializes a user-supplied object string without checking its integrity. It allows attackers to manipulate the system state and execute remote commands.
Recommendation
Change the application architecture and make it not dependent on object serialization from an untrusted source. Or at least use object deserialization where only primitive data types are acceptable. If you have to use object deserialization, make sure to implement integrity checks such as digital signatures on any serialized objects to prevent data tampering. Also, log any deserialization errors and monitor them.
References
👉 You might also like:
Insecure Deserialization Remote Code Execution - Vulnerability
Serialized Object Found - Vulnerability
Missing or Insecure Cache-Control Header - Vulnerability
Insecure Inline Frame - Vulnerability
Last updated on October 10, 2021