Deserialization of Untrusted Data

From Guidance Share

Jump to: navigation, search



Deserialization of untrusted data without proper validation can lead to application crashes or execution of arbitrary malicious code.

Applies To

  • Languages: C,C++/Java
  • Operating platforms: Any


The following Java code deserializes untrusted data without performing any validation:

try {
 File file = new File("object.obj");
 ObjectInputStream in = new ObjectInputStream(new 
 javax.swing.JButton button = (javax.swing.JButton) 
 byte[] bytes = getBytesFromFile(file);
 in = new ObjectInputStream(new ByteArrayInputStream(bytes));
 button = (javax.swing.JButton) in.readObject();


  • Availability: If a function is making an assumption on when to terminate, based on a sentry in a string, it could easily never terminate or may crash.
  • Authorization: Potentially code could make assumptions that information in the deserialized object about the data is valid. Functions which make this dangerous assumption could be exploited allowing an attacker to run arbitrary malicious code.


  • Failure to validate untrusted data during deserialization.


  • Requirements specification: A deserialization library could be used which provides a cryptographic framework to seal serialized data.
  • Implementation: Use the signing features of a language to assure that deserialized data has not been tainted.
  • Implementation: When deserializing data populate a new object rather than just deserializing, the result is that the data flows through safe input validation and that the functions are safe.
  • Implementation: Explicitly define final readObject() to prevent deserialization.

An example of this is:

private final void readObject(ObjectInputStream in)
throws {
throw new"Cannot be deserialized");
  • Implementation: Make fields transient to protect them from deserialization.

Vulnerability Patterns

How Tos

Personal tools