Code injection during object deserialization
ID |
php.code_injection_deserialization |
Severity |
critical |
Resource |
Injection |
Language |
Php |
Tags |
CWE:502, NIST.SP.800-53, OWASP:2021:A8, PCI-DSS:6.5.1 |
Description
Improper deserialization of untrusted data, possibly allowing code injection attacks.
Deserialization vulnerabilities arise when an application deserializes user-controlled data without proper validation, potentially allowing attackers to instantiate unexpected objects or execute crafted functions leading to arbitrary code execution or system exploits.
Rationale
After detecting the vulnerable site, attackers typically craft a payload that is serialized and sent to the application. If the application deserializes this payload without validation, attackers can modify the expected data structure to escalate privileges or perform unwanted actions.
In the worst case, the attackers inject an object of an unexpected type, triggering chosen code execution. This could be used to exfiltrate internal server’s data, install malware e.g. to install and persist crypto-miners, or run a reverse shell.
Consider the following PHP example:
<?php
$data = $_POST['data']; // Untrusted user input deserialized
$obj = unserialize($data);
?>In this example, data from an untrusted source (like user input) is directly deserialized without any validation or sanitation. An attacker could provide specially-crafted serialized data that manipulates the process, for instance by introducing malicious objects or exploiting magic methods like wakeup or destruct in PHP classes to execute unauthorized code.
Remediation
If possible, do not deserialize content to objects when the source is not fully trusted.
Mitigating deserialization vulnerabilities involves several key practices:
-
Avoid Deserialization of Untrusted Input: The most secure approach is to avoid deserializing any untrusted data outright. If deserialization is necessary, consider other safe data formats such as JSON or XML with strict schema validation.
-
Use Secure Libraries: Employ libraries or frameworks that provide secure deserialization mechanisms.
-
Validation and Whitelisting: Implement strict validation. Use a whitelist approach where only the expected, permitted, and safe classes are allowed to be deserialized.
-
Use a Allowlist of Expected Classes: If you must deserialize, you can implement allowlisting to ensure that only known safe classes are instantiated. This approach leverages PHP 7’s
unserialize()options to specify allowed classes.
<?php
$data = $_POST['data'];
$options = ['allowed_classes' => ['SafeClass1', 'SafeClass2']];
$obj = unserialize($data, $options);
?>Configuration
The detector has the following configurable parameters:
-
sources, that indicates the source kinds to check. -
neutralizations, that indicates the neutralization kinds to check.
Unless you need to change the default behavior, you typically do not need to configure this detector.
References
-
CWE-502 : Deserialization of Untrusted Data.
-
OWASP - Top 10 2021 Category A08 : Software and Data Integrity Failures.
-
Deserialization Cheat Sheet - OWASP Cheat Sheet Series.