AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Insecure Deserialization - XML

The attacker may inject random code and execute on the application server side through insecure XML deserialization resulting in total ownage

Severity

Low

Fix Cost

Medium

Trust Level

Low

From early Remote Method Invocation (RMI) or CORBA implementations, Serialization/Deserialization is a key mechanism used for transferring a code state from one end to another. Serialization/Deserialization happens both in-process, inter-process and inter-network communications between same or different frameworks.

There are APIs which can deserialize already serialized class instances such as below;

                                     
XmlSerializer serializer = new XmlSerializer(typeof(OrderedItem));

FileStream fs = new FileStream(userInputFileName, FileMode.OpenOrCreate);
TextReader reader = new StreamReader(fs);

OrderedItem i = (OrderedItem) serializer.Deserialize(reader);
i.Register();  
                   
            

The code above reads a user inputted file and deserialize the type instance and executes its Register method. Since System.XML.Serialization.XMLSerializer class can only serialize simple public types the risk is low, however, deserializing a string that goes to a dangerous sink in Register method might allow an attacker to pull a successful hack.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!