Insecure deserialization is one of the most critical web application security risks, yet it is by no means a new vulnerability category. Data serialization and deserialization have been used widely in applications, services and frameworks, with many programming languages supporting them natively. Deserialization got more attention recently as a potential vehicle to conduct several types of attacks: data tampering, authentication bypass, privilege escalation, various injections and, finally, remote code execution. Two recent vulnerabilities in Apache Commons and Apache Struts, both allowing remote code execution, helped raise awareness of this risk.
We will discuss how data serialization and deserialization are used in software, the dangers of deserializing untrusted input, and how to avoid insecure deserialization vulnerabilities.
Alexei Kojenov (https://twitter.com/kojenov) is a Senior Application Security Consultant with years of prior software development experience. During his career with IBM, he gradually moved from writing code to breaking code. Since late 2016, Alexei has been working as a consultant at Aspect Security, helping businesses identify and fix vulnerabilities and design secure applications. Aspect Security was recently acquired by Ernst&Young and joined EY Advisory cybersecurity practice.