Understanding serialization and deserialization

Before we talk about deserialization, we first need to understand what serialization is. Serialization is the process of converting a data object, a combination of code and data represented within a region of data storage into a series of bytes that saves the state of the object in an easily transmittable form. In this serialized form, the data can be delivered to another data store (such as an in-memory computing platform), application, a database or some other destination. Serialization is important in modern computing where data needs to be transmitted across multiple systems, databases, applications, networks and more in order to fulfill both business and personal use cases. 

Once data has been serialized and moved to a data storage, the data needs to be deserialized in order to be put back together in a format that can be used by an end user. Deserialization is the process of reconstructing a data structure or object from a series of bytes or strings in order to reconstruct a data object that can be used for consumption. Serialization and deserialization work together to transform/recreate data objects to/form a portable format to a format that can be used.

Source @ hazelcast.com

What are the risks of deserialization?

While deserialization is a standard process in data transmission there are risks associated with it. These are known as deserialization attacks, in which the ‘deserialization’ of attacker-controlled data can lead to the execution of malicious code on the host server, and are commonly done. Exploiting a deserialization vulnerability typically requires inside knowledge of the application’s code base (but isn’t impossible without) and can be enumerated using security tools. Deserialization attacks typically require you to develop exploit code in order to leverage the weakness and show impact.

How hackers leverage deserialization

Exploiting the unsafe deserialization of user-supplied data can result in numerous types of attacks, such as authorisation or authentication bypasses or the ability to execute code. This allows attackers to get access to unauthorized data by bypassing controls and executing code on the target server that will allow them to perform a long list of malicious operations. In addition to these attacks hackers can also perform a Denial of Service Attack via serialization loop. In this attack the root object is designed in a way that it’s members linked in a loop, if any application attempts to deserialize the object the system will run in a loop that never ends until it consumes 100% of CPU resources. There are several different types of insecure deserialization:

• Blind deserialization: This type of deserialization attack exploits Java payloads or manipulates a transformer chain to allow for remote code execution (RCE) on the target server. It’s called blind because it occurs on a system or network protected by security controls such as a firewall where the attacker doesn’t have visibility.
• Asynchronous deserialization: In this type of attack stores serialized payloads in the target server database. Once the target application initiates deserialization, the payload will trigger and manipulate the deserialization process in order to perform a malicious action.
• Deferred-execution deserialization: In this type of attack a payload executed in the vulnerable application after the deserialization process. The payload will bypass any non-executable protections and allow the attacker to perform code execution.

Preventing deserialization

• WAF: Using Web Application Firewalls is a great way to protect against some insecure deserialization attacks. They filter out user input and can prevent hackers from sending customized inputs to your database as part of an insecure deserialization attack. WAFs can be positioned between your web application server and end client’s so that it inspects all traffic prior to it being handed over to your application server. 

Source @ cloudflare

• Avoid Native Formats: Native formats are the file structure of an electronic document that is defined by the application that created it. For example, for a spreadsheet made using Excel, the native format is .xls. One strategy to prevent deserialization attacks is to use data-only or language-agnostic formats so that it is harder for attackers to exploit the deserialization logic. 
• Integrate checksums or digital signatures to ensure trusted sources: Another control you can integrate are checksums that ensure that all data inputs are provided by trusted sources or to only accept serialized objects from a primitive data type. Digital signatures are one way to do this as they can ensure that the data has not been altered or comes with an untrusted source by verifying the integrity of the data/the identity of the person sending the data. 
• To use Java Serial killer to test certain vulnerabilities such as java deserialization: This is a security testing tool that performs Java deserialization attacks and can be used to test your application for potential vulnerabilities related to deserialization attacks. By using this tool ahead of time you can identify your application’s vulnerability to a deserialization attack and make adjustments to prevent hackers from being able to exploit those vulnerabilities. 
• Logging deserialization, always check about exception from deserialized failures: You should log all deserialization exceptions and failures as they can provide clues of a potential attack against your company. A common exception you want to log is if the incoming type is not the expected type.
• Monitoring deserialization, alert if applications try to deserialize constantly: By monitoring your application’s deserialization process you can be alerted to potentially malicious activity and act quickly to prevent a potential data breach. Notification of these alerts should be sent to the proper channels so that your security/IT staff can be notified quickly and act accordingly. 

Conclusion

Deserialization is a technique used to convert data from one format to another. In the context of programming, deserialization is the process of converting data from a serialized format to a native data structure. Deserialization is often used to convert data received from an external source, such as a web service or a database, into a format that can be used by the program. While deserialization is a normal process used in web applications, it can also be used by attackers as a means of attack. In this article we've covered exactly how this is done and some of the ways you can mitigate these attacks.