CWE-502: Deserialization of Untrusted Data (Pickling, Unpickling)

Background

Serialization and deserialization refer to the process of taking program-internal object-related data, packaging it in a way that allows the data to be externally stored or transferred ("serialization"), then extracting the serialized data to reconstruct the original object ("deserialization").

How to prevent it

Practical mitigations for CWE-502, grouped by where in the lifecycle they apply.

Architecture and Design

Implementation

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Implementation

When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Implementation

Explicitly define a final object() to prevent deserialization.

Architecture and Design

Implementation

Make fields transient to protect them from deserialization.

An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.

Implementation

Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.

Architecture and Design

Implementation

Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.

Operation

Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

Effectiveness: Moderate — An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization.

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

This code snippet deserializes an object from a file and uses it as a UI button:

Vulnerable example

java

try {

Safe example

java

private final void readObject(ObjectInputStream in) throws java.io.IOException {

In Python, the Pickle library handles the serialization and deserialization processes. In this example derived from [REF-467], the code receives and parses data, and afterwards tries to authenticate a user based on validating a token.

Vulnerable example

python

try {

Unfortunately, the code does not verify that the incoming data is legitimate. An attacker can construct a illegitimate, serialized object "AuthToken" that instantiates one of Python's subprocesses to execute arbitrary commands. For instance,the attacker could construct a pickle that leverages Python's subprocess module, which spawns new processes and includes a number of arguments for various uses. Since Pickle allows objects to define the process for how they should be unpickled, the attacker can direct the unpickle process to call Popen in the subprocess module and execute /bin/sh.

Background

CWE-502: Deserialization of Untrusted Data

Overview

Background

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Alternate terms

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-502?

What CVEs are caused by CWE-502?

How do you prevent CWE-502?

How is CWE-502 detected?

What are the consequences of CWE-502?

Is CWE-502 actively exploited?

References

Stay ahead of CWE-502

Background

Overview

Background

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Peer

Terminology & mappings

Alternate terms

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-502?

What CVEs are caused by CWE-502?

How do you prevent CWE-502?

How is CWE-502 detected?

What are the consequences of CWE-502?

Is CWE-502 actively exploited?

References

Stay ahead of CWE-502