Serialization

Rule 1:Prefer alternatives to java serialization

Topics

  1. Attacks based on serialization

BUG
attack surface
OTHER serializtion system.
Untrusted data –hashset example

The Legacy code may be using it so, The remainder of this unit provides advice on when and how to do this.

Attacks based on serialization

  • a ransomware attack on the San Francisco Metropolitan Transit Agency Municipal Railway (SFMTA Muni) that shut down the entire fare collection system for two days in November 2016

Cases of attack

  1. A fundamental problem with serialization is that its attack surface is too big to protect, and constantly growing: Object graphs are deserialized by invoking the readObject method on an ObjectInputStream. This method is essentially a magic constructor that can be made to instantiate objects of almost any type on the class path, so long as the type implements the Serializable interface.
    1. In the process of deserializing a byte stream, this method can execute code from any of these types, so the code for all of these types is part of the attack surface.
    2. The attack surface includes classes in the Java platform libraries, in third-party libraries such as Apache Commons Collections, and in the application itself.

Pages: Page 1, Page 2, Page 3, Page 4, Page 5, Page 6, Page 7

Published by

Unknown's avatar

sevanand yadav

software engineer working as web developer having specialization in spring MVC with mysql,hibernate

Leave a comment