locked
Unsafe Deserialization RRS feed

  • Question

  • User-1835835255 posted

    Any help is appreciated.

    Dynamic Code Evaluation: Unsafe Deserialization
    Deserializing user-controlled object streams at runtime can allow attackers to execute arbitrary code on the server, abuse
    Summary:
    WebInspect has detected LosFormatter serialized object stream in user-controlled POST Parameter data. Deserializing
    user-controlled object streams at runtime can allow attackers to execute arbitrary code on the server, abuse application logic,
    and/or lead to denial of service.
    .NET serialization turns object graphs into byte or XML streams that contain the objects themselves and the necessary
    metadata to reconstruct them from the stream. Developers can create custom code to aid in the process of deserializing .NET
    objects, where they can replace the deserialized objects with different objects, or proxies. The customized deserialization
    process takes place during objects reconstruction, before the objects are returned to the application and cast into expected
    types. By the time developers try to enforce an expected type, code may have already been executed.

    Fix

    Do not deserialize untrusted data without validating the contents of the object stream. In order to validate classes being
    deserialized, the SerializationBinder class should be used.
    The object stream will first contain the class description metadata and then the serialized bytes or XML of their member fields.
    The deserialization process allows developers to read the class description and decide whether to proceed with the
    deserialization of the object or abort it. In order to do so, it is necessary to inherit
    System.Runtime.Serialization.SerializationBinder and provide a custom implementation of the
    BindToType(String, String) or BindToName(Type, String, String) method where class validation and
    verification should take place.
    Always use a strict whitelist approach to only deserialize expected types. A blacklist approach is not recommended since
    attackers may use many available gadgets to bypass the blacklist. Also, keep in mind that although some classes are publicly
    known, there may be others that are unknown or undisclosed, so a whitelist approach will always be preferred. Any class
    allowed in the whitelist should be audited to make sure it is safe to deserialize.
    To avoid denial of service attacks in DataContractSerializer, it is recommended to set a safe value for the
    MaxItemsInObjectGraph property based on the number of objects that are being deserialized and the CLR aborts the
    deserialization when a threshold is surpassed.
    When deserialization takes place in a library, or framework the above recommendation is not useful since it is beyond the
    developer's control. In those cases, you may want to make sure that these protocols meet the following requirements:
    · Not exposed publicly.
    · Use authentication.
    · Use integrity checks.
    · Use encryption.

    Tuesday, September 25, 2018 11:54 AM

All replies

  • User283571144 posted

    Hi chjones2008,

    According to your description, I couldn't understand your issue clearly.

    Could you please post more details about which code show this error?

    Besides, as far as I know, the deserialization itself can already be unsafe.

    If the serialized data contains personal information, or bank information, then absolutely(there is a security risk). 

    Best Regards,

    Brando

    Wednesday, September 26, 2018 6:31 AM
  • User-1835835255 posted

    Theres a security scan that runs on the server of the website I made and that's the error and proposed solution to fix the issue (Unsafe Deserialization).  The "fix" is not clear, so I'm looking for more info on how to fix this issue.

    Wednesday, September 26, 2018 11:53 AM
  • User283571144 posted

    Hi chjones2008,

    Theres a security scan that runs on the server of the website I made and that's the error and proposed solution to fix the issue (Unsafe Deserialization).  The "fix" is not clear, so I'm looking for more info on how to fix this issue.

    As far as I know, this issue may related with your xml data, the xml may not contain the DTD, so it will show this security issue.

    With a DTD, independent groups of people can agree on a standard DTD for interchanging data.

    An application can use a DTD to verify that XML data is valid.

    I suggest you could check the data format to make sure it contains the DTD.

    More details, you could refer to below article:

    https://www.w3schools.com/xml/xml_dtd_intro.asp 

    Best Regards,

    Brando

    Monday, October 1, 2018 1:49 AM