An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.
|
|
| ID | CAPEC-586 |
| Latest Sync Date | 11/05/25 15:15:38 |
| Original ID | 586 |
| Abstraction | Meta |
| Status | Draft |
| Alternate Terms | |
| Likelihood Of Attack | Medium |
| Typical Severity | High |
| Related Attack Patterns | |
| Execution Flow | |
| Prerequisites | ::The target application must unserialize data before validation.:: |
| Skills Required | |
| Resources Required | |
| Indicators | |
| Consequences | ::SCOPE:Availability:TECHNICAL IMPACT:Resource Consumption:NOTE:If a function is making an assumption on when to terminate, based on a sentry in a string, it could easily never terminate and exhaust available resources.::SCOPE:Integrity:TECHNICAL IMPACT:Modify Data:NOTE:Attackers can modify objects or data that was assumed to be safe from modification.::SCOPE:Authorization:TECHNICAL IMPACT:Execute Unauthorized Commands:NOTE:Functions that assume information in the deserialized object is valid could be exploited.:: |
| Mitigations | ::Implementation: Validate object before deserialization process::Design: Limit which types can be deserialized.::Implementation: Avoid having unnecessary types or gadgets available that can be leveraged for malicious ends. Use an allowlist of acceptable classes.::Implementation: Keep session state on the server, when possible.:: |
| Example Instances | |
| Related Weaknesses | ::502:: |
| Taxonomy Mappings | |
| Notes | |