Unsanitized user input in deserialization method

Overview

• Rule ID: java_lang_deserialization_of_user_input

• Applicable Languages: Java

• Weakness ID: CWE-502

Description

Deserializing untrusted data, such as data from parameters or cookies, without adequate verification is considered unsafe practice. Attackers can inject payloads or malicious code into serialized data, exposing your application to potential security risks.

Remediation Guidelines

• Avoid deserializing data directly from untrusted sources, including user input, parameters, or cookies.

• Refrain from using XMLEncoder and XMLDecoder for serialization and deserialization due to their insecurity and potential for enabling attacks.

• Opt for data-only and language-agnostic serialization formats like JSON, which are less prone to manipulation by attackers seeking to exploit the deserialization process.

• Utilize deserialization methods that allow explicit definition of permitted object types. This approach helps mitigate the risk of deserializing potentially malicious objects.

• Restrict deserialization to specific, trusted object types, and avoid allowing deserialization of generic base object types such as Object. This practice minimizes the risk of executing unintended or malicious code.

References

• OWASP XML External Entity Prevention Cheat Sheet

• OWASP Deserialization Cheat Sheet

• CWE-502: Deserialization of Untrusted Data

• OWASP Top 10: A08:2021 - Software and Data Integrity Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL