AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Inadequate Deserialization Validation

The attacker may inject random code and execute on the application server side through insecure binary deserialization resulting in total ownage

Severity

Low

Fix Cost

Medium

Trust Level

Medium

From early Remote Method Invocation (RMI) or CORBA implementations, Serialization/Deserialization is a key mechanism used for transferring a code state from one end to another. Serialization/Deserialization happens both in-process, inter-process and inter-network communications between same or different frameworks.

The serialization APIs provide a mechanism for deserialized classes to check the deserialized content at run-time. Here’s an example;

                
[Serializable]
class RemoteMessage
{
String message;
    
public MessageResult SendAndSave()
{
/* process deserialized message */
}
} 
                
            

The above serializable (annotated) class have no way to validate deserialized message before SendAndSave method is called and therefore more likely open to attacks.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!