Insecure Deserialization Remote Code Execution

Description

Insecure deserialization occurs when an application deserializes a user-supplied object string without checking its integrity. It allows attackers to manipulate the system state and execute remote commands.

Recommendation

Change the application architecture and make it not dependent on object serialization from an untrusted source. Or at least use object deserialization where only primitive data types are acceptable. If you have to use object deserialization, make sure to implement integrity checks such as digital signatures on any serialized objects to prevent data tampering. Also, log any deserialization errors and monitor them.

References

• OWASP: Deserialization Cheat Sheet
• CWE-502
• OWASP 2017-A8
• OWASP 2021-A8