![]() To better explain Java deserialize vulnerabilities, we first need to explore how deserialization works in Java. Think of an arbitrary code execution vulnerability that can be triggered when deserializing a serialized object. What is a Java deserialize vulnerability?Ī Java deserialize vulnerability is a security vulnerability that occurs when a malicious user tries to insert a modified serialized object into the system in order to compromise the system or its data. Just like with serialization, private and final fields are also included. It simply creates an empty object and uses reflection to write the data to the fields. When deserializing a byte stream back to an object it does not use the constructor. Even though you might have getters and setters, these functions are not used when serializing an object in Java. If a field contains an object, that object is serialized recursively. Java serialization uses reflection to scrape all necessary data from the object’s fields, including private and final fields. However, you must have the definition of the object to successfully re-create it. With deserialization, you start with a byte stream and re-create the object you previously serialized in its original state. What is deserialization in Java?ĭeserialization is precisely the opposite of serialization. ![]() This byte stream does not contain the actual code. As we discussed earlier, serialization allows us to convert the state of an object into a byte stream. To do this, the class of that object needs to implement the Serializable interface. If we want to transfer an object and, for instance, store it on a disk or send it over a network, we need to transform it into a byte stream. These objects are stored in memory and removed by the garbage collector once they’re no longer being used. Java serialization -and deserialization in particular - is known as “the gift that keeps on giving” because it has produced many security issues and vulnerabilities over the years. Java deserialization, on the other hand, allows us to recreate an object from a byte stream. Java serialization is a mechanism to transform an object into a byte stream. We also included a recent conference talk were Java deserialization exploits were shown in a live demo. This blog has been updated to reflect changes in newer Java versions and vulnerabilities that are exploitable due to deserialization.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |