Scala Untrusted Input Insecure Deserialization

Description

Detects unsafe deserialization of untrusted data in Scala applications using Java's ObjectInputStream methods (readObject/readUnshared). This vulnerability could allow attackers to execute arbitrary code by submitting malicious serialized objects through user-controlled input parameters.

Weakness:

096 - Insecure deserialization

Category: Unexpected Injection

Detection Strategy

• Checks if Play Framework MVC libraries are imported in the codebase

• Identifies calls to ObjectInputStream.readObject() or readUnshared() methods

• Verifies if the input stream argument originates from user-controlled parameters

• Confirms the object being deserialized is not properly sanitized or validated

• Reports a vulnerability when unsanitized user input flows into deserialization methods

Vulnerable code example

import java.io.*;

public class VulnerableDeserialization {
    public Object deserializeData(byte[] input) {
        try {
            ByteArrayInputStream bais = new ByteArrayInputStream(input);
            ObjectInputStream ois = new ObjectInputStream(bais);
            return ois.readObject();  // Vulnerable: Directly deserializing untrusted input...

✅ Secure code example

import java.io.*;

public class SecureDeserialization {
    // Whitelist of allowed classes for deserialization
    private static final String ALLOWED_CLASSES = "java.util.ArrayList;java.lang.String";
    
    public Object deserializeData(byte[] input) {
        try {...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.