Serialized Object Found

Description

Object serialization allows transferring complex data structures over channels like HTTP. But whenever there is a serialized object there would be a deserialization process in place. Object deserialization is prone to different vulnerabilities like command execution.

Recommendation

Change the application architecture and make it not dependent on object serialization from an untrusted source. Or at least use object deserialization where only primitive data types are acceptable. If you have to use object deserialization, make sure to implement integrity checks such as digital signatures on any serialized objects to prevent data tampering. Also, log any deserialization errors and monitor them.

References

• OWASP: Deserialization Cheat Sheet
• CWE-502
• OWASP 2017-A8
• OWASP 2021-A8