Also, you can check the "Content-type" HTTP response header is set to the following Content-Type: application/x-java-serialized-object it may indicate that this is a serialized object stream. Impact
Since we know how to serialize and deserialize an object, what harm this feature could bring to us? It could bring a lot of dangerous vulnerabilities such as privilege escalation, arbitrary file access, and denial-of-service attacks and usually this could lead to Remote Code Execution (RCE). Remediation
Keep in mind that there is no "silver bullet" that can prevent deserialization attacks. It is best to avoid taking any serialized input from users or untrusted sources and deserialize it, but if deserializing is a must, then implementing a few of the following techniques are a good way for mitigating deserialization attacks in Java:
Abusing Deserialization Vulnerability
- Log deserialization exceptions and failures, such as where the incoming type is not the expected type, or the deserialization throws exceptions.
- Isolating and running code that deserializes in low privilege environments when possible.
- If possible, only permit primitive data types like byte, short, int, long, float, double, boolean, and char.
- In your code, override the ObjectInputStream.resolveClass() method to prevent arbitrary classes from being deserialized. This safe behavior can be wrapped in a library like SerialKiller.
- Restricting or monitoring incoming and outgoing network connectivity from containers or servers that deserialize.
I will demonstrate how to exploit this vulnerability by doing this
lab from PortSwigger academy. But first, let's learn about gadgets and why we need them.
Gadgets are code that exists inside the application. Attackers use it to accomplish their goals, but a gadget may not by itself do anything harmful with user input. Still, an attacker could pass the input value into a dangerous gadget by chaining multiple gadgets together. But manually identifying gadget chains require source code access and also can be a difficult task to do; fortunately, there are some tools to automate the gadget finding process such as gadgetinspector
, and also there are tools such as ysoserial
with a range of pre-discovered chains that have been successfully tested and exploited on other websites. Lab
The objective of this lab is to delete a file from the server, as shown in the below picture