Saturday, November 2, 2024
HomeData GovernanceDealing with Deserialization of Untrusted Data in Java Applications

Dealing with Deserialization of Untrusted Data in Java Applications

Published on

Malware protection

Serialization is a technique that can transform an object into a byte stream. In the Java programming language, these objects are used to perform a variety of tasks, including authentication and a variety of other tasks. The objects are transformed into a byte stream and then assigned to the user as a cookie, which aids in the authentication process and helps the user identify themselves. Deserialization is the opposite of serialization in that the byte stream returned by the users, which is essential in the HTTP request, is captured by the server and then changed into objects in order to validate the permission sessions of the user, and so forth.

Because of this, Java Deserialization is a mechanism that turns a byte stream into an object, however, the deserialization process causes a large number of security vulnerabilities. Consequently, let us have a discussion about these. 

What is Deserialization Vulnerability of Untrusted Data in Java Applications?

If the deserialization of the byte streams is performed in an unsafe manner, it can result in a large number of vulnerabilities. They have the potential to lead to authentication bypass as well as RCE.

- Advertisement - SIEM as a Service

If applications accept data without performing any sanitization or processing it without performing any validation, this can result in a serious vulnerability. It is known as “Deserialization” to convert byte streams into network objects or data objects from multiple formats, such as JSON or XML. Deserialization makes the program’s structure more vulnerable, and developers can import serialization objects into any custom application as a result of this procedure. Because of this, there will be no need to add or create new columns on every change as a result.

Consider the following example: When a user registers into an application, the program assigns this cookie to the user in order to keep track of his current state on the server, according to the application.

Tzo0OuKAnVVzZXLigJ06Mjp7czo4OuKAnXVzZXJuYW1l4oCdO3M6NDrigJ10ZXN04oCdO3M6NTrigJ1hZG1pbuKAnTtiOjA7fQ==

Given that this cookie is base64 encoded, we can expect to receive a set of objects of this type after decoding the cookie, as seen below.

O:4:”User”:2:{s:8:”username”;s:4:”test”;s:5:”admin”;b:0;}

You can easily see that here permission is being defined, “s” means that the characters are of string and “b” means boolean so if you set b:1 from b:0 you can have access to the admin panel. So this can be used to perform the authentication bypass on the application.

Why does it occur?

Attackers can take advantage of this functionality and manipulate the serialized data because there is no validation performed before the data is processed by the application, which may result in unsafe Deserialization. Untrusted data can readily exploit the weak deserialization function and carry out serious attacks such as access control bypass, the execution of undesired operations, RCE, and many other types of attacks on the target system.

If this state conversion does not make use of any constructors, it will result in the creation of an empty object. As a result, “Constructor level verification and validation” was not performed during the object’s creation in this instance.

Look at a few code snippets that demonstrate how java deserialization is implemented. Serializable classes in Java are responsible for implementing the readObject and writeObject methods, respectively:

According to the code snippet above, a file is being produced using the object “Hi,” and this object is currently being serialized, which will result in the creation of a file that will be delivered to the user.

The content of the file can now be modified by the user using any of the hex decoders available. This code is used to deserialize a file that has been transmitted to the server from the user’s computer.

So, in general, because the program is accepting altered or modified files, it will be simple to exploit the deserialization vulnerability in the application.

How to Remediate

We are all familiar with the Java deserialization vulnerability and how it might manifest itself, however this vulnerability manifests itself when there is no validation performed when converting the byte stream from the objects to bytes. As a result, in order to mitigate this vulnerability, avoid using serialization of objects whenever possible. As a result, if you want to implement serialization in your application, you must first check the ObjectInputStream before performing the deserialization operation. An example of a library that can be of assistance is the Apache Commons I/O library.

This library offers a ValidatedObjectInputStream, which allows you to explicitly enable the deserialization of the objects you want to use in your program. You’ve now eliminated the potential of unanticipated types of deserialization from occurring.

This vulnerability frequently emerges as a result of the inputs being utilized directly to acquire or retrieve files from a server. This is commonly performed by implementing input validation into the user input and whitelisting all of the files that can be obtained using the fetching parameter in the code. 

How I Used WhiteSource Cure to Remediate

These problems are generally caused by developers failing to adhere to fundamental best practices when publishing code, such as not checking user inputs before utilizing them. Therefore, an automated vulnerability scanner is required to scan code for vulnerabilities before merging it in order to identify and correct any issues that may arise.

A buddy of mine who previously used WhiteSource Cure for Java cleanup recommended it to me. According to them, they are “the world’s first custom code security auto-remediation program.” Security considerations don’t have to slow down the speed with which you produce code and applications any longer when utilizing this tool, as I discovered when conducting research for this article.

It scans the GitHub repository for security flaws. In a DevOps workflow, it reads code to see if anything needs to be changed. For this project, I used a free tool that you can use for as long as you like. It also generates a report with remedial alternatives for the flaws that have been identified.

If you apply those patch proposals, you’ll immediately fix the problem, just like if you’d written the fix code yourself. There’s also an IDE plugin included, so applying the patch is as easy as clicking a button! It’s a big help.

How to Use WhiteSource Cure

Using WhiteSource Cure is very easy. I am using the well-known vulnerability app from OWASP, WebGoat, for this demonstration.

  1. Go to GitHub and copy the repo link of WebGoat.
  2. Go to this link, and it will show you a page like this: 
  1. Enter the repo link in the first input field and leave the second field blank and click Fix It!
  2. After that, it will open a page that has all the vulnerabilities detected in your repository. 

Click on any vulnerability, and it will show you where that vulnerability occurs. 

  1. If you want to look for a fix, click on the remediation tab, and it will show you the code required to fix that issue.

Conclusion

Without addressing deserialization vulnerabilities, the organization is at risk of being very vulnerable. Because of this, scanning your code before deployment is critical in ensuring that it can be patched if necessary. If you want to undertake a code review and application patching, you can utilize an automated code scanner like whitesource cure.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

10 Best Linux Distributions In 2024

The Linux Distros is generally acknowledged as the third of the holy triplet of...

Top 10 Best Penetration Testing Companies & Services in 2024

Penetration Testing Companies are pillars of information security; nothing is more important than ensuring...

Best SIEM Tools List For SOC Team – 2024

The Best SIEM tools for you will depend on your specific requirements, budget, and...