Improving Insecure Deserialization Discovery in Web Applications

Abstract

Insecure deserialization vulnerability has posed a persistent threat to backend systems and web applications since 2004, exposing devastating exploits such as remote code execution and privilege escalation. A significant challenge for testing for this vulnerability is the reliability of feed-back obtained from the tested target which made detecting the vulnerability difficult. This project aims to address this issue by introducing a novel method to provide a viable feedback mechanism that should show success or failure of attack and thus, improve the accuracy of testing. Our pro-posed tool addresses the lack of reliability issue by applying the blind approach on testing insecure deserialization. This mechanism removes the need for readable feedback from the target and instead relies on the behaviour of the target to determine the success or failure of the approach. This pro-vides a much more precise assessment of attack success or failure, thus improving the overall relia-bility of vulnerability detection. This was observable in my tests where the tool provided the out-come of the test. The tool also performed internal port scanning, which could be a serious vulnera-bility. In conclusion, the feedback mechanism introduced in this project shows the severity of Inse-cure deserialization, as well as the opportunity to automate the scanning process. Keywords: Serialization; RMI; RCE; CVE; OWASP; NIST; NVD; SQL; Gadgets; Bytestream; Magic Method; Transformers.