logo

Database

Kotlin Insecure Deserialization Untrusted Data

Description

Detects insecure deserialization vulnerabilities in Kotlin where untrusted data is being deserialized using readObject(). When untrusted data is deserialized without proper validation, attackers can craft malicious serialized objects that execute arbitrary code upon deserialization or cause denial of service.

Weakness:

096 - Insecure deserialization

Category: Unexpected Injection

Detection Strategy

    Identifies Kotlin code using readObject() method for deserialization

    Checks if the input source for deserialization comes from untrusted user-controlled parameters

    Verifies the presence of required imports for Kotlin deserialization functionality

    Reports a vulnerability when readObject() is called with data originating from user input without proper validation

Vulnerable code example

import java.io.*;

class UserProfile implements Serializable {
    public String username;
    public boolean isAdmin;
}

class VulnerableEndpoint {...

✅ Secure code example

import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.*;

class UserProfile {
    private String username;
    private boolean isAdmin;
    
    // Getters and setters instead of public fields...