If an application accepts serialized objects, it is relatively easy to tamper with the values. We also discover that the timestamp didn’t change, proving that the constructor was never called. When deserializing the adjusted binary file, we find out that the object’s value changed. ValueObject vo2 = (ValueObject) in.readObject() ObjectInputStream in = new ObjectInputStream(fileIn) Let’s look at the following example of Java deserialize vulnerability where we serialize an object from a serializable class ValueObject:įileInputStream fileIn = new FileInputStream( "r" ) When deserializing a Java object, this new object can have an invalid state. You can think about checks like start-date before end-date when describing a period. This means that any validation checks done in the constructor are never called when recreating the object. We already know that Java deserialization does not use the constructor to create an object - loading the fields through reflection instead. If you look at a stored serialized object with a hex-editor, you can enclose and manipulate the information quickly. It contains the name of the object it refers to and the data of the field. Explaining Java deserialize vulnerabilitiesĪ serialized object in Java is a byte array with state information. To better explain Java deserialize vulnerabilities, we first need to explore how deserialization works in Java. Think of an arbitrary code execution vulnerability that can be triggered when deserializing a serialized object. What is a Java deserialize vulnerability?Ī Java deserialize vulnerability is a security vulnerability that occurs when a malicious user tries to insert a modified serialized object into the system in order to compromise the system or its data. Just like with serialization, private and final fields are also included. It simply creates an empty object and uses reflection to write the data to the fields. When deserializing a byte stream back to an object it does not use the constructor. Even though you might have getters and setters, these functions are not used when serializing an object in Java. If a field contains an object, that object is serialized recursively. Java serialization uses reflection to scrape all necessary data from the object’s fields, including private and final fields. However, you must have the definition of the object to successfully re-create it. With deserialization, you start with a byte stream and re-create the object you previously serialized in its original state. What is deserialization in Java?ĭeserialization is precisely the opposite of serialization. This byte stream does not contain the actual code. As we discussed earlier, serialization allows us to convert the state of an object into a byte stream. To do this, the class of that object needs to implement the Serializable interface. If we want to transfer an object and, for instance, store it on a disk or send it over a network, we need to transform it into a byte stream. These objects are stored in memory and removed by the garbage collector once they’re no longer being used. Book a live demo What is serialization in Java?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |