Detecting insecure deserialization
Deserialization is the process of passing some type of data to other data, to be managed by the application, for example, passing a JSON format request that is parsed and managed as XML by the application. Also, there are deserialization vulnerabilities where the technology used in the development is involved. These vulnerabilities pass resources of a certain type to binary objects.
To understand the vulnerability, review the next snippet of code, published in the CVE.2011-2092:
[RemoteClass(alias="javax.swing.JFrame")] public class JFrame { public var title:String = "Gotcha!"; public var defaultCloseOperation:int = 3; public var visible:Boolean = true; }
This code is the class definition of a data type called JFrame. In the next snippet of code, we can see how it is used:
InputStream is = request.getInputStream(); ObjectInputStream ois = new ObjectInputStream(is); AcmeObject acme = (AcmeObject)ois.readObject();
The issue is that any kind of...