Insecure Deserialization

Need

To protect against unauthorized control of application execution flow

Context

• Usage of Elixir for building scalable and fault-tolerant applications

• Usage of Elixir Phoenix for building web applications

• Usage of serialization/deserialization libraries for handling serialized objects from untrusted sources

Description

1. Non compliant code

defmodule VulnerableApp.WebController do
  use VulnerableApp.Web, :controller

  def deserialize(conn, _params) do
    {:ok, params} = Poison.decode(conn.params["payload"])
    process_params(params)
  end
  defp process_params(params) do...

The following Elixir code deserializes an incoming object from an untrusted source without validating or casting it. This leaves the application open to manipulation from an attacker.

2. Steps

• Use a library such as `jason` to validate the structure of the incoming serialized object.

• Only deserialize the object if it meets the expected properties.

3. Secure code example

defmodule SecureApp.WebController do
  use SecureApp.Web, :controller

  def deserialize(conn, _params) do
    case Jason.decode(conn.params["payload"]) do
      {:ok, params} when is_map(params) ->
        process_params(params)
        {:error, "Invalid payload"}...

The following Elixir code deserializes an incoming object from an untrusted source but first validates it. This prevents an attacker from manipulating the execution flow of the application.

References

• 096. Insecure Deserialization

On this page