Serializable Class Containing Sensitive Data

ID

java.serializable_class_containing_sensitive_data

Severity

low

Resource

Information Leak

Language

Java

Tags

CWE:499, NIST.SP.800-53

Description

Serializable class containing sensitive data.

Rationale

Java’s Serializable interface allows objects to be easily transformed into a byte stream and vice versa. This is useful for various operations like caching, deep copying, or network communications. However, if a class contains sensitive data and implements Serializable without adequate protection, it can lead to exposure of this sensitive information.

Consider the following Java class example:

import java.io.Serializable;

public class UserCredentials implements Serializable {
    private String username;
    private String password;  // Sensitive data

    public UserCredentials(String username, String password) {
        this.username = username;
        this.password = password;
    }

    // Getter and setter methods...
}

In this scenario, UserCredentials implements the Serializable interface and directly stores sensitive data such as a password. If an instance of UserCredentials is serialized, the password might be exposed in transit or when stored, leading to potential data breaches if intercepted by an attacker.

Remediation

To mitigate the risks associated with serializing classes containing sensitive data, adhere to these remediation practices:

  • Avoid Serialization of Sensitive Data: Wherever possible, avoid making classes that contain sensitive information serializable. Design the application to separate data that needs serialization from sensitive data.

  • Transient Fields: Use the transient keyword to prevent the sensitive fields from being serialized. This ensures that such data is not included in the serialized byte stream.

import java.io.Serializable;

public class UserCredentials implements Serializable {
    private String username;
    private transient String password;  // Marked as transient to avoid serialization

    public UserCredentials(String username, String password) {
        this.username = username;
        this.password = password;
    }

    // Getter and setter methods...
}

  • Custom Serialization: Implement custom readObject and writeObject methods to handle serialization logic manually. This allows precise control over what data is serialized and how it is processed.

import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;

public class UserCredentials implements Serializable {
    private String username;
    private transient String password;

    public UserCredentials(String username, String password) {
        this.username = username;
        this.password = password;
    }

    private void writeObject(ObjectOutputStream oos) throws IOException {
        oos.defaultWriteObject();
        // Custom logic, e.g., use encryption to save the password
    }

    private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
        ois.defaultReadObject();
        // Custom logic, e.g., decrypt the password after reading
    }
}

  • Encryption: If serialization of sensitive data is unavoidable, ensure that such data is encrypted before serialization and decrypted upon deserialization.

By implementing these practices, organizations can reduce the chances of exposing sensitive data during serialization processes, thereby enhancing the overall security posture of their applications.

Configuration

The detector has the following configurable parameters:

  • sensitiveKinds, the sensitive data kinds that are going to be reported by this detector.

References