Deprecated: Function create_function() is deprecated in /home/phototor/domains/phototor.com/public_html/wp-content/themes/premium-photography/inc/photo-widgets.php on line 3
How to Fix Insecure Deserialisation | Suman Tiwari Travellography, Cyber Security & Photography Blog How to Fix Insecure Deserialisation – Suman Tiwari Travellography, Cyber Security & Photography Blog

How to Fix Insecure Deserialisation

  Posted in Cyber Security on

  by Suman Tiwari

 

Insecure Deserialization is applicable to all programming languages and not Just JAVA.

The following checks should be implemented before the Java objects are getting deserialized/being read or any operation is being performed:


1. The returned Object is also cast to the specified type

2. Check the classes referenced are safe (Class whitelisting)

3. The number of bytes allowed should be limited (else may lead to denial of service attack)

4. Do Integrity checks: Never trust user supplied data. Whenever possible, perform integrity checks by validating the signatures for serialized data.

5. Also, ensure that Content-type header of an HTTP response should be set to application/x-java-serialized-object

https://docs.spring.io/spring-cloud-stream/docs/Brooklyn.RELEASE/reference/html/contenttypemanagement.html ) 


Reference Links:https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Deserialization_Cheat_Sheet.md 

https://www.contrastsecurity.com/security-influencers/java-serialization-vulnerability-threatens-millions-of-applications

About Author:

Suman Tiwari CPISI Exam Guide

Suman Tiwari is a Cyber Security Professional by Profession and photographer by passion.

His Linkedin profile can be visited here for more details.

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2018 phototor.com/ All Rights Reserved. Site is Powered by www.iaptertechnology.com