How to Fix Insecure Deserialisation

Insecure Deserialization is applicable to all programming languages and not Just JAVA.

The following checks should be implemented before the Java objects are getting deserialized/being read or any operation is being performed:


1. The returned Object is also cast to the specified type

2. Check the classes referenced are safe (Class whitelisting)

3. The number of bytes allowed should be limited (else may lead to denial of service attack)

4. Also, ensure that Content-type header of an HTTP response should be set to application/x-java-serialized-object ( https://docs.spring.io/spring-cloud-stream/docs/Brooklyn.RELEASE/reference/html/contenttypemanagement.html ) 


Reference Links:https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Deserialization_Cheat_Sheet.md 

https://www.contrastsecurity.com/security-influencers/java-serialization-vulnerability-threatens-millions-of-applications

About Author:

Suman Tiwari CPISI Exam Guide

Suman Tiwari is a Cyber Security Professional by Profession and photographer by passion.

His Linkedin profile can be visited here for more details.

Leave a Reply

Your email address will not be published. Required fields are marked *