Learn about how attackers replace deserialization data with untrusted, malicious content.
- [Instructor] Number eight in the OWASP Top 10 is insecure deserialization. Whereas many of the OWASP Top 10 items have been repeated or modified from past versions, insecure deserialization is a completely new addition which is pretty exciting. I'm going to talk about it in general terms to help you understand conceptually how this kind of attack works. To understand how insecure deserialization works, we must first talk about serialization.
Basically, serialization is taking a digital object and transforming it into a format that makes it easy to store or transfer. Deserialization is the opposite process, taking that data and rebuilding the digital object. Here's an analogy from the physical world. Think about the last time you moved. You probably didn't take entire rooms of your previous home and move them just as they were because that would have not been very efficient.
More likely you broke your furniture down into more manageable parts and packed it into boxes for convenient transit. This is sort of like what's happening during the serialization process. In the deserialization part of this analogy, the boxes are unpacked and the furniture is rebuilt. But what happens to the boxes during storage and transit? Maybe they get packed onto a moving truck or a boat or an airplane.
Along the way, there may be opportunities for tampering with or even replacing the contents inside the moving boxes. This is basically what's happening in an insecure deserialization attack. The hacker replaces the data with malicious content and when it gets put back together, it can result in denial of service, access control failures, and remote code execution attacks. Basically, the process of deserialization, if not properly checked and implemented, allows for a way that a hacker can send malicious commands to the application program causing it to do things that it is not supposed to do.
It's similar to other OWASP Top 10 items in that any application which allows for untrusted data without checking or validation runs the risk of malicious instructions being executed.