The following checks should be implemented before the Java objects are getting deserialized/being read or any operation is being performed:
1. The returned Object is also cast to the specified type
2. Check the classes referenced are safe (Class whitelisting)
3. The number of bytes allowed should be limited (else may lead to denial of service attack)
4. Do Integrity checks: Never trust user supplied data. Whenever possible, perform integrity checks by validating the signatures for serialized data.
5. Also, ensure that Content-type header of an HTTP response should be set to application/x-java-serialized-object
Reference Links:https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Deserialization_Cheat_Sheet.md
About Author:
Suman Tiwari is a Cyber Security Professional by Profession and photographer by passion.
His Linkedin profile can be visited here for more details.