Unsanitized user input in deserialization method

Overview

• Rule ID: javascript_lang_unsafe_deserialization

• Applicable Languages: Javascript

• Weakness ID: CWE-502

Description

Deserializing untrusted data is a dangerous practice. This vulnerability occurs when data, especially from external sources such as request objects, is deserialized without proper sanitization. Attackers can insert malicious payloads within serialized data, compromising your application's security upon deserialization.

Remediation Guidelines

• Avoid deserializing data that originates from untrusted sources. This helps prevent attackers from injecting malicious payloads that could jeopardize your application.

• Choose data-only and language-neutral serialization formats such as JSON or XML for deserializing data. These formats are less prone to manipulation by attackers attempting to exploit the deserialization process.

  Copy

  JSON.parse(req.params);

References

• OWASP Deserialization cheat sheet

• CWE-502: Deserialization of Untrusted Data

• OWASP Top 10: A08:2021 - Software and Data Integrity Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL