Js Unsafe Deserialization Untrusted Data
Description
Identifies unsafe deserialization of untrusted data in JavaScript/Node.js applications using the node-serialize module. When malicious user input is passed to node-serialize deserialize functions, it can lead to remote code execution since the module executes arbitrary JavaScript code during deserialization.
Detection Strategy
• Verifies the application imports both the 'express' and 'node-serialize' modules
• Looks for calls to deserialization functions like unserialize() or deserialize()
• Checks if the deserialization operation processes untrusted/external data without proper validation
• Reports vulnerability when user-controlled data flows into node-serialize deserialization functions
Vulnerable code example
const express = require('express');
const serialize = require('node-serialize');
const app = express();
app.use(express.json());
app.post('/api', (req, res) => {
const obj = serialize.unserialize(userInput); // VULNERABLE: Unsafe deserialization of user input...✅ Secure code example
const express = require('express');
const app = express();
app.use(express.json());
app.post('/api', (req, res) => {
const userInput = req.body.data;
const obj = JSON.parse(userInput); // Safe: Using JSON.parse instead of unsafe deserialization
});...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.