Insecure deserialization | Fluid Attacks Database

Database

Description

The system deserializes objects without first validating their content nor casting them to a specific type.

Impact

Enable to control the application execution flow.

Recommendation

Validate the incoming serialized objects and only deserialize them if they meet expected properties.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⏱️ 30 minutes.

Requirements

173 - Discard unsafe inputs 321 - Avoid deserializing untrusted data

Rules

Python Loads Insecure Deserialization Javascript Unsafe Deserialization Untrusted Data C Sharp Jsserializer Simpletyperesolver Usage C Sharp Viewstate Deserialization Rce Insecure Ruby Yaml Insecure Deserialization Typescript Unsafe Deserialization Untrusted Data Php Untrusted Unserialize Input C Sharp Insecure Deserialization Untrusted Input Python Unsafe Deserialization Method Kotlin Insecure Deserialization Untrusted Data C Sharp Insecure Deserialization Fastjson C Sharp Insecure Fspickler Deserialization C Sharp Unsafe Xml Deserialization Ruby Use Of Marshal Dangerous Function Swift Unarchiver Insecure Deserialization Scala Untrusted Input Insecure Deserialization C Sharp Type Name Handling All

Fixes

Csharp Dart Go Java JavaScript/TypeScript Php Python Ruby Scala Swift