Fluid Attacks Database

Description

Detects unsafe usage of PHP unserialize() function with untrusted input, which can lead to remote code execution vulnerabilities. When user-controlled data is passed directly to unserialize() without proper validation, attackers can craft malicious serialized objects to execute arbitrary code.

Weakness:

096 - Insecure deserialization

Category: Unexpected Injection

Detection Strategy

• Check for calls to PHP unserialize() function in the codebase

• Verify if the first argument passed to unserialize() comes from user input (e.g., $_GET, $_POST, $_REQUEST)

• Verify if the first argument is not properly sanitized or validated before deserialization

• Report a vulnerability if unserialize() is called with unsanitized user input

Vulnerable code example

<?php
// Minimal example of unsafe PHP deserialization
function vulnerable_deserialization() {
    $user_data = $_GET['data'];
    $result = unserialize($user_data);  // Vulnerable: Direct unserialization of user input
    return $result;
}
?>

✅ Secure code example

<?php
// Secure PHP deserialization with type enforcement and validation
function secure_deserialization() {
    // Define allowed classes that can be unserialized
    $allowed_classes = ['stdClass', 'User'];
    
    $user_data = $_GET['data'];
    ...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.