- The Guide to Finding and Reporting Web Vulnerabilities
- About the Author
- About the Tech Reviewer
- Foreword
- Introduction
- Who This Book Is For
- What Is In This Book
- Happy Hacking!
- 1 Picking a Bug Bounty Program
- 2 Sustaining Your Success
- 3 How the Internet Works
- 4 Environmental Setup and Traffic Interception
- 5 Web Hacking Reconnaissance
- 6 Cross-Site Scripting
- 7 Open Redirects
- 8 Clickjacking
- 9 Cross-Site Request Forgery
- 10 Insecure Direct Object References
- 11 SQL Injection
- 12 Race Conditions
- 13 Server-Side Request Forgery
- 14 Insecure Deserialization
- 15 XML External Entity
- 16 Template Injection
- 17 Application Logic Errors and Broken Access Control
- 18 Remote Code Execution
- 19 Same-Origin Policy Vulnerabilities
- 20 Single-Sign-On Security Issues
- 21 Information Disclosure
- 22 Conducting Code Reviews
- 23 Hacking Android Apps
- 24 API Hacking
- 25 Automatic Vulnerability Discovery Using Fuzzers
Prevention
Defending against deserialization vulnerabilities is difficult. The best way to protect an application against these vulnerabilities varies greatly based on the programming language, libraries, and serialization format used. No one-size-fits-all solution exists.
防御反序列化漏洞很困难。保护应用程序免受这些漏洞的最佳方法因所使用的编程语言、库以及序列化格式而异。没有一种通用的解决方案存在。
You should make sure not to deserialize any data tainted by user input without proper checks. If deserialization is necessary, use an allowlist to restrict deserialization to a small number of allowed classes.
应确保不要在没有进行适当检查的情况下反序列化任何受用户输入污染的数据。如果必须进行反序列化,则使用允许列表将反序列化限制在少量允许的类中。
You can also use simple data types, like strings and arrays, instead of objects that need to be serialized when being transported. And, to prevent the tampering of serialized cookies, you can keep track of the session state on the server instead of relying on user input for session information. Finally, you should keep an eye out for patches and make sure your dependencies are up-to-date to avoid introducing deserialization vulnerabilities via third-party code.
你也可以使用简单的数据类型,如字符串和数组,而不是需要在传输时进行序列化的对象。为了防止序列化 Cookie 被篡改,你可以在服务器上跟踪会话状态,而不是依赖用户输入的会话信息。最后,你应该密切关注补丁,并确保你的依赖项是最新的,以避免通过第三方代码引入反序列化漏洞。
Some developers try to mitigate deserialization vulnerabilities by identifying the commonly vulnerable classes and removing them from the application. This effectively restricts available gadgets attackers can use in gadget chains. However, this isn’t a reliable form of protection. Limiting gadgets can be a great layer of defense, but hackers are creative and can always find more gadgets in other libraries, coming up with creative ways to achieve the same results. It’s important to address the root cause of this vulnerability: the fact that the application deserializes user data insecurely.
有些开发者试图通过识别通常容易受到攻击的类并从应用程序中移除它们来减轻反序列化漏洞的影响。这有效地限制了攻击者在器件链中使用的可用手段。然而,这并不是一种可靠的保护形式。限制设备可以是很好的防御层,但黑客很有创意,他们总能在其他库中找到更多的设备,并想出创造性的方式来实现相同的结果。重要的是要解决这种漏洞的根本原因:应用程序不安全地反序列化用户数据。
The OWASP Deserialization Cheat Sheet is an excellent resource for learning how to prevent deserialization flaws for your specific technology: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html .
OWASP 反序列化作弊表是学习如何防止特定技术的反序列化漏洞的绝佳资源:https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html。
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论