(De | Un)serialization Detailed with Demo

Hello Friends,

In this post. I am going to cover Deserialization or Unserialization Vulnerability detailed with a Practical Example.

Before going in depth of this post. be clear Desirialize and Unserialize is a same this in two different computer programming language. that is Unserialize in PHP and Deserialize in JAVA.

Notes for Reader

Are you Excited?? Okay… let’s take a look at what you’ll going to learn from this post. 😉

Index

• Introduction
• What is Serialization Data?
• What is (De | Un)Serialization?
• Example PHP Code with Explanation
• Mitigation

Introduction

A deserialization attack occurs when an attacker is able to manipulate data that is being deserialized by a target application. This can allow the attacker to execute arbitrary code or perform other malicious actions. This type of attack is particularly dangerous because it can be used to bypass security measures, such as input validation and authentication.

A demonstration of a deserialization attack could involve a web application that deserializes user-supplied data in order to perform some action, such as displaying the data on a webpage or storing it in a database. The attacker could create a malicious payload that, when deserialized, would execute arbitrary code on the server.

For example, an attacker could create a serialized Java object that, when deserialized, would open a command prompt on the server. The attacker could then use this command prompt to gain access to sensitive information or take control of the server.

To mitigate deserialization attacks, it is important to validate any data that is being deserialized and to use a secure deserialization library that can detect and prevent malicious payloads. Additionally, it is a good practice to run the application with the lowest possible privilege and to monitor the system logs for any suspicious activities.

It’s worth mentioning that there are also several libraries and frameworks that can help prevent deserialization attacks, such as the Java SerialKiller, the Python Secure-Serialization, and the .NET Anti-XSS Deserialization Library.

What is Serialization Data?

Serialization is the process of converting an object’s state to a format that can be stored or transmitted, such as a string of bytes. The resulting data, which is typically in a binary format, is called serialized data. This data can later be deserialized, which is the process of converting the serialized data back into an object with the same state as the original object.

Serialization can be used to store the state of an object in a file or database or to transmit the object over a network. It is also commonly used in web development to pass objects between different layers of an application, such as between the application server and the client browser.

Serialization can be implemented in various ways, such as using custom code or a library. Some common libraries and frameworks that support serialization include Java’s Serializable interface, Python’s pickle module, and C#’s BinaryFormatter class.

It’s worth mentioning that not all objects can be serialized, only the objects that implement a Serializable interface or objects that can be converted to a byte stream.

What is (De | Un)Serialization?

PHP unserialization is the process of converting a string of serialized data back into a PHP object. This can be done using the built-in unserialize() function in PHP. The unserialize() function takes a string of serialized data as an argument and returns the original PHP object.

For example, the following code serializes an array of integers and then unserializes it to create a new array:

$original_array = array(1, 2, 3);
$serialized_data = serialize($original_array);
$unserialized_array = unserialize($serialized_data);

It’s worth mentioning that unserialization can be a security risk if the serialized data is user-supplied and not properly sanitized, as it can lead to code execution or other malicious actions. To prevent these types of attacks, it is important to validate any data that is being unserialized, and to use a secure unserialization library that can detect and prevent malicious payloads.

Additionally, you should be aware that unserializing serialized data from untrusted sources could be dangerous because it can lead to arbitrary code execution. This is why it is recommended to use a secure unserialization library or use the data with a limited context where the data can not be used to execute arbitrary code.

Example PHP Code with Explanation

here is an example of a PHP script that demonstrates how to serialize and unserialize an object:

<?php

// Define a simple class
class MyClass {
    public $property1;
    public $property2;

    public function __construct($p1, $p2) {
        $this->property1 = $p1;
        $this->property2 = $p2;
    }
}

// Create an instance of the class
$obj = new MyClass("value1", "value2");

// Serialize the object
$serialized_data = serialize($obj);

// Output the serialized data
echo $serialized_data . "\n";

// Unserialize the data
$unserialized_obj = unserialize($serialized_data);

// Output the properties of the unserialized object
echo $unserialized_obj->property1 . "\n";
echo $unserialized_obj->property2 . "\n";

?>

Here’s a line-by-line explanation of what the script does:

1. Defines a simple class MyClass which has two properties property1 and property2
2. A constructor which accepts 2 arguments and assigns them to properties
3. An instance of the class is created using the constructor and passed values “value1” and “value2”
4. $obj is serialized to a string using the serialize() function
5. The serialized data is printed
6. The serialized data is unserialized using the unserialize() function
7. The properties of the unserialized object are printed

It’s important to note that the serialized data generated by serialize() the function is a string representation of the object and can be used to recreate the object by using unserialize().

Also, as I mentioned before, be careful when unserializing user-supplied data to avoid code execution or other malicious actions.

Mitigation

There are several best practices and techniques that can be used to mitigate the risk of PHP unserialization vulnerabilities:

1. Input validation: Ensure that any data that is being unserialized is properly validated and sanitized to prevent malicious payloads from being passed to the unserialize() function.
2. Use a secure unserialization library: There are libraries available that can detect and prevent malicious payloads from being unserialized.
3. Run the application with the lowest possible privilege: By running the application with the least amount of privilege necessary, an attacker will have fewer opportunities to exploit a vulnerability.
4. Monitor system logs: Regularly monitoring system logs can help detect suspicious activity that may indicate an attempted unserialization attack.
5. Update software and libraries: Keep your software and libraries up to date to ensure that any known vulnerabilities are patched.
6. Disable unserialize when not needed: If you don’t need to use unserialize function in your script, it’s recommended to disable it.
7. Use a WAF (Web Application Firewall) : Use a WAF to detect and block malicious payloads.
8. Use a framework: Use a framework that implements security best practices, such as input validation and secure unserialization, to help prevent unserialization vulnerabilities.

It’s important to understand that unserialization vulnerabilities can be difficult to detect and exploit, but by following these best practices, you can significantly reduce the risk of an unserialization attack.