The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

It is often convenient to serialize objects for communication or to save them for later use. However, deserialized data or code can often be modified without using the provided accessor functions if it does not use cryptography to protect itself. Furthermore, any cryptography would still be client-side security -- which is a dangerous security assumption.

Data that is untrusted can not be trusted to be well-formed.

When developers place no restrictions on "gadget chains," or series of instances and method invocations that can self-execute during the deserialization process (i.e., before the object is returned to the caller), it is sometimes possible for attackers to leverage them to perform unauthorized actions, like generating a shell.

Background Details

Serialization and deserialization refer to the process of taking program-internal object-related data, packaging it in a way that allows the data to be externally stored or transferred ("serialization"), then extracting the serialized data to reconstruct the original object ("deserialization").

Modes Of Introduction

Architecture and Design : OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.
Implementation

Applicable Platforms

Language

Name: Java (Undetermined)
Name: Ruby (Undetermined)
Name: PHP (Undetermined)
Name: Python (Undetermined)
Name: JavaScript (Undetermined)

Technologies

Class: ICS/OT (Often)

Common Consequences

Observed Examples

Potential Mitigations

Phases : Architecture and Design // Implementation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Phases : Implementation
When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Phases : Implementation
Explicitly define a final object() to prevent deserialization.
Phases : Architecture and Design // Implementation

Make fields transient to protect them from deserialization.

An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.

Phases : Implementation
Avoid having unnecessary types or gadgets available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.

Detection Methods

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness : High

Vulnerability Mapping Notes

Rationale : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comments : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Related Attack Patterns

Notes

The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization.

References

REF-18

The CLASP Application Security Process
Secure Software, Inc..
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf

REF-461

Exploiting Deserialization Vulnerabilities in Java
Matthias Kaiser.
https://www.slideshare.net/codewhitesec/exploiting-deserialization-vulnerabilities-in-java-54707478

REF-462

PHP unserialization vulnerabilities: What are we missing?
Sam Thomas.
https://www.slideshare.net/_s_n_t/php-unserialization-vulnerabilities-what-are-we-missing

REF-463

Marshalling Pickles: How deserializing objects can ruin your day
Gabriel Lawrence, Chris Frohoff.
https://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles

REF-464

Unserializing user-supplied data, a bad idea
Heine Deelstra.
https://drupalsun.com/heine/2010/08/25/unserializing-user-supplied-data-bad-idea

REF-465

Black Hat EU 2010 - Attacking Java Serialized Communication
Manish S. Saindane.
https://www.slideshare.net/msaindane/black-hat-eu-2010-attacking-java-serialized-communication

REF-466

Why Python Pickle is Insecure
Nadia Alramli.
http://michael-rushanan.blogspot.com/2012/10/why-python-pickle-is-insecure.html

REF-467

Exploiting misuse of Python's "pickle"
Nelson Elhage.
https://blog.nelhage.com/2011/03/exploiting-pickle/

REF-468

Deserialize My Shorts: Or How I Learned to Start Worrying and Hate Java Object Deserialization
Chris Frohoff.
https://speakerdeck.com/frohoff/owasp-sd-deserialize-my-shorts-or-how-i-learned-to-start-worrying-and-hate-java-object-deserialization

Submission

Modifications