top of page

This is an example illustrating how Java code can be compromised through an unprotected deserialization vulnerability, which is a common issue in cybersecurity.

import java.io.*;

public class VulnerableApp {
    public static void main(String[] args) {
        try (ObjectInputStream ois = new ObjectInputStream(new FileInputStream("input.ser"))) {
            Object obj = ois.readObject();
            System.out.println("Deserialized object: " + obj.toString());
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}
 

The Issue

​

The code above reads and deserializes an object from the input.ser file without validating the content. Attackers can exploit this by crafting malicious serialized objects, which could execute arbitrary code on the server when deserialized.

​​How an Attack Works:

​

​

Malicious Payload:

An attacker could create a malicious Java object using a library like ysoserial, which generates exploit payloads.

   

       bash

​

​​       java -jar ysoserial.jar CommonsCollections5 "calc.exe" > input.ser

​

​​

​Here the payload triggers the execution of the calc.exe program (on Windows) or other arbitrary commands when deserialized.

 

Exploit:

​

  • The attacker uploads or provides the input.ser file to the application.

  • When the VulnerableApp deserializes this file, the malicious payload executes on the server.

 

Mitigation:

​​

Avoid Java Serialization:

  •   Use safer alternatives like JSON or XML with libraries such as Jackson or JAXB.

Validate Input:

  • Implement a strict whitelist for deserialized classes using ObjectInputStream subclasses.

​

           class SafeObjectInputStream extends ObjectInputStream {
                    @Override
                     protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
                              If (!allowedClasses.contains(desc.getName())) {
                                           throw new InvalidClassException("Unauthorized deserialization attempt for class: " + desc.getName());
                      }
                     return super.resolveClass(desc);
                   }
              }
 

Use Libraries with Known Protections:

  • Adopt libraries like Apache Commons IO's ValidatedObjectInputStream.

Apply Security Patches:

  • Regularly update Java libraries and dependencies to mitigate known vulnerabilities.

bottom of page