What is serialisation?
Process of converting an object into a series of bytes that saves the state of the object in an easily transmittable form.
Why do we need serialisation?
- Caching
- Save the state of an object & loads instantly. - Replication
- Clones object across different machines/environments. - Communication
- Makes objects transferrable through a network. - Persistence
- Complies with any database or a file system for later use. - Cross-machine Synchronisation
- Supports remote invocation and update.
Tell me an example of Serialisation.
If you shop online and save items to a cart and close the browser, the content can remain in the cart if the items are serialised to disk or database. Once you return, the items will be derserialised and returned to cart.
List a few vulnerabilities with Serialisation.
- Untrusted data (Miss Assignment)
- Objects fields normally inaccessible to users. - Custom Derserialisation Functions/Code
- No different than any insecure code. - Object Type Specifications
- Unexpected objects. - Function Trampolines/Gadgets
- Chain multiple object types.
In the context of Serialisation, what are gadgets?
Class that you can use to escalate a deserialisation into remote code execution are called gadgets.
What is a gadget chain?
A sequence of gadgets that perform actions on behalf of a malicious actor.
How does a gadget chain work?
Once an attacker identifies a series of gadgets he can chain them together creating a sequence of instructions that, when executed, can leverage the vulnerabilities in the target software to achieve a malicious objective.
Attack achieved:
- Arbitrary code execution
- Privilege escalation
- Bypass security mechanisms
How to prevent serialisation attacks?
- Use non-native formats such as XML and JSON.
- Use runtime application self protection (RASP).
- Implement checks for data integrity/deserialisation signed data.
- Only deserialise ‘simple’ objects.
- Run deserialisation code in low privilege environments.
