Skip to main content
Version: 6.12.0

Deserialization of Untrusted Data

Serialization is the process of converting an object in memory into a format (such as a byte stream or text format like JSON/XML) that can be stored or transmitted. Deserialization is the reverse process, reconstructing the object in memory from that stored or transmitted representation.

Overview

Deserialization mechanisms are abused and repurposed for malicious effect when operating on untrusted serialized data. For example, code can be injected into the objects to be serialized, and then later executed upon deserialization, much like persistent XSS attacks. Attacks against deserializers have been found to allow denial-of-service, access control, privilege escalation and remote code execution (RCE) attacks.

Waratek uses a virtualization-based approach to runtime application self-protection or RASP. This allows the Waratek to create a smart, restricted dynamic micro-compartment that prevents malicious operations from executing. Waratek's deserialization protection capability is activated when deserialization occurs and is automatically disabled once it has completed.

Rule Options

Exploit Type

  • Remote Code Execution - This option protects against deserialization payloads that perform privilege escalation and Remote Code Execution (RCE).
  • Denial of Service - This option protects against deserialization payloads that perform Denial of Service attacks (DoS) on the host. For example, a malicious deserilization payload can cause the process to loop indefinitely and consume all available CPU resources on the host (e.g. billion laughs attack).

For each Remote Code Execution or Denial of Service configuration, the Agent only allows one rule to be specified.

Action

  • Detect - The Agent will detect the attack and generate Security Event which will be viewable on the Security Events pages in the Portal, but the Agent will take no further action.
  • Protect - In addition to the Detect actions, the Waratek Agent will also actively prevent the attack from succeeding.

Resources

More information on deserialization can be found at: