Insecure Deserialization

00:00

Hey, everyone is Canada Hill Master Instructor a cyber. In this video, we're gonna talk about Web defense

00:06

So quick, pre assessment question here, insecure D. C. Realization is the most common vulnerability in the whole Lost Top 10. Is that your riffles? This one's kind of easy

00:16

are. So the answer there is false right? We already know that injection is the most most common vulnerability in the law. Stop 10. It's number one on the list and then also as kind of the flip side of that sequel injection being the most prevalent there of the type of attack an attacker would use.

00:33

So insecure d serialization so

00:35

serialization itself. We're taking the object we converted to a byte stream, and then it's, you know, going to file memory. A database on basically the serialization is just the opposite of that, right? We're taking the byte stream, and then we're converting that back into an object. So what happens here in this type of vulnerability is that the attacker

00:53

supplies hostile objects of them. We do serialized those,

00:56

and we actually, you know, lose data. You know, the attacker gets privileged access, et cetera.

01:02

So prevalent is common based on a survey. That's actually not a whole lot of data out there from the real world out there in the wild, as we call it in the industry. So they did survey of organizations. But there's, you know, a loss doesn't necessarily have any real data on it. And it does take manual attacker review. So again, it's not very prevalent thing that

01:22

on Attacker would normally use when you could do this something like sequel injection

01:25

and just, you know, get access to the organization that way.

01:29

So how do we check to check for a manual? Code review is a common thing to use, but again, that takes time, right? If you've got a huge application, we're going there is gonna take some time validating the data and then also properly sanitizing data that is be being do serialized Do serialized. Excuse me.

01:47

Um, so that way we can see if it's actually malicious or not

01:52

impact here. You know, data tampering, types of attacks. They could also lead to other attacks. Like, you know, this could be used in a replay or injection, a type of attack privilege, excuse escalation as well,

02:04

so preventing it You know, we kind of talked about this a little bit, but, you know, putting integrity checks in place. So using digital signatures, logging any type of the serialization failures or exceptions

02:15

along with that monitoring as well, isolating code and then also encrypting our seal serialized data. So that way, attacker can't manipulate it.

02:24

So quick. Post assessment question here. Bill's looking for ways to reduce the likelihood of this type of vulnerability. What's the following is not something that he could do effectively, effectively to reduce the risk.

02:38

All right, So if you guessed answer D using serialization in Web service is doesn't actually help reduce the risk it all. And if anything, it actually increases the risk. Because now we've got the risk of the attacker being able to inject malicious objects. And then we do serialize those.