OWASP Top 10 Part 8: Insecure Deserialization

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> OWASP top 10, number 8: insecure deserialization.
00:00
In this lesson, we're going to talk about
00:00
the risks of insecure deserialization,
00:00
its impact and techniques to address it.
00:00
In order to understand deserialization,
00:00
let's first define what serialization is.
00:00
Serialization is the process of
00:00
>> translating a data structure
00:00
>> or an object into a state that can be stored
00:00
>> or transmitted and reconstructed later.
00:00
>> That reconstructed part is
00:00
>> where the deserialization comes in,
00:00
>> and in insecure deserialization
00:00
>> an attacker inputs a malicious code
00:00
>> or string in the serialized object
00:00
>> that is activated upon deserialization.
00:00
>> This allows them to do various manipulations
00:00
>> that execute a command
00:00
>> when that decentralization occurs.
00:00
>> It can really be prevented by
00:00
>> not accepting the serialized objects in the first place
00:00
>> from untrusted sources or putting restrictions
00:00
>> and monitoring on the deserialization process.
00:00
>> Quiz question, which of the following is
00:00
potentially vulnerable to deserialization exploits?
00:00
Applications, APIs, or all of the above?
00:00
If you said all of the above, you're correct.
00:00
Applications and APIs both
00:00
use serialization to transform
00:00
>> and store different objects or data structures
00:00
>> when they initially come in
00:00
>> and that deserialization process,
00:00
>> if not properly monitored,
00:00
can result in this remote code execution occurring.
00:00
In summary, we talked about
00:00
>> what serialization is in the first place
00:00
>> and then how insecure deserialization
00:00
>> can result in remote code executions.
00:00
We talked about the impact of it,
00:00
that the attacker can use it to gain access,
00:00
extract data by using
00:00
this deserialization process to execute malicious code.
00:00
Then we talked about methods
00:00
>> to prevent the exploit, namely,
00:00
>> monitoring on the deserialization process
00:00
or not allowing serialization from untrusted sources.
00:00
I'll see you in the next lesson.
Up Next