# Unsanitized user input in deserialization method ## Overview * **Rule ID**: `java_lang_deserialization_of_user_input` * **Applicable Languages**: Java * **Weakness ID**: CWE-502 ## Description Deserializing untrusted data, such as data from parameters or cookies, without adequate verification is considered unsafe practice. Attackers can inject payloads or malicious code into serialized data, exposing your application to potential security risks. ## Remediation Guidelines * **Avoid** deserializing data directly from untrusted sources, including user input, parameters, or cookies. * **Refrain** from using XMLEncoder and XMLDecoder for serialization and deserialization due to their insecurity and potential for enabling attacks. * **Opt for data-only and language-agnostic serialization formats like JSON**, which are less prone to manipulation by attackers seeking to exploit the deserialization process. * **Utilize deserialization methods** that allow explicit definition of permitted object types. This approach helps mitigate the risk of deserializing potentially malicious objects. * **Restrict deserialization** to specific, trusted object types, and avoid allowing deserialization of generic base object types such as Object. This practice minimizes the risk of executing unintended or malicious code. ## References * [**OWASP XML External Entity Prevention Cheat Sheet**](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java) * [**OWASP Deserialization Cheat Sheet**](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) * [**CWE-502: Deserialization of Untrusted Data**](https://cwe.mitre.org/data/definitions/502.html) * [**OWASP Top 10: A08:2021 - Software and Data Integrity Failures**](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/) ## Configuration To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sec1.io/user-docs/4-sast/2-java/unsanitized-user-input-in-deserialization-method.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.