Insecure Deserialization

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

1 hour 6 minutes
Video Transcription
Hey, everyone is Canada Hill Master Instructor a cyber. In this video, we're gonna talk about Web defense
So quick, pre assessment question here, insecure D. C. Realization is the most common vulnerability in the whole Lost Top 10. Is that your riffles? This one's kind of easy
are. So the answer there is false right? We already know that injection is the most most common vulnerability in the law. Stop 10. It's number one on the list and then also as kind of the flip side of that sequel injection being the most prevalent there of the type of attack an attacker would use.
So insecure d serialization so
serialization itself. We're taking the object we converted to a byte stream, and then it's, you know, going to file memory. A database on basically the serialization is just the opposite of that, right? We're taking the byte stream, and then we're converting that back into an object. So what happens here in this type of vulnerability is that the attacker
supplies hostile objects of them. We do serialized those,
and we actually, you know, lose data. You know, the attacker gets privileged access, et cetera.
So prevalent is common based on a survey. That's actually not a whole lot of data out there from the real world out there in the wild, as we call it in the industry. So they did survey of organizations. But there's, you know, a loss doesn't necessarily have any real data on it. And it does take manual attacker review. So again, it's not very prevalent thing that
on Attacker would normally use when you could do this something like sequel injection
and just, you know, get access to the organization that way.
So how do we check to check for a manual? Code review is a common thing to use, but again, that takes time, right? If you've got a huge application, we're going there is gonna take some time validating the data and then also properly sanitizing data that is be being do serialized Do serialized. Excuse me.
Um, so that way we can see if it's actually malicious or not
impact here. You know, data tampering, types of attacks. They could also lead to other attacks. Like, you know, this could be used in a replay or injection, a type of attack privilege, excuse escalation as well,
so preventing it You know, we kind of talked about this a little bit, but, you know, putting integrity checks in place. So using digital signatures, logging any type of the serialization failures or exceptions
along with that monitoring as well, isolating code and then also encrypting our seal serialized data. So that way, attacker can't manipulate it.
So quick. Post assessment question here. Bill's looking for ways to reduce the likelihood of this type of vulnerability. What's the following is not something that he could do effectively, effectively to reduce the risk.
All right, So if you guessed answer D using serialization in Web service is doesn't actually help reduce the risk it all. And if anything, it actually increases the risk. Because now we've got the risk of the attacker being able to inject malicious objects. And then we do serialize those.
So in this video, we just talked about at a very high level insecure dear d serialization. Now, um, from his secure coding standpoint, we didn't go into that. But I do want to mention if you are a code a coder out there, we do have a secure coding course on the site and it'll jump into this particular area little more in depth for you.
Up Next
Course Assessment - Web Defense Fundamentals