Insecure Deserialization

Insecure Deserialization is an attack where a manipulated object is injected into the context of the web application.

Security Assessment

Security_Assessment_InsecureDeserialization

CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/CR:X/IR:X/AR:X/MAV:N/MAC:H/MPR:N/ MUI:N/MS:U/MC:H/MI:H/MA:H

Vulnerability Information

Insecure Deserialization is an attack where a manipulated object is injected into the context of the web application. If the application is vulnerable, the object is deserialized and executed, which can result in SQL Injection, Path Traversal, Application Denial of Service and Remote Code Execution.

Guides

In order to protect your web application from this type of vulnerability, you should never pass a serialized object, which can be manipulated by the user, to the deserialize function. Instead of unserialize you could use a secure data interchange like JSON if you need to pass serialized data between the user and the web application.

As an Example how a serialized PHP object looks like, see the code block below:

O:9:"SomeClass":2:{s:20:"%00SomeClass%00file_name";N;s:16:"%00SomeClass%00value";N;}

The insecure deserialization vulnerability could be triggered if a untrusted user is able to manipulate the object and can send it directly to the PHP unserialized function.

For more information about Crashtest Security visit crashtest-security.com