Serialization Filtering — Deserialization Vulnerability Protection in Java

Deserialization vulnerability protection in Java

Albin Issac
Nov 19, 2020 · 4 min read

Serialization/Deserialization

Serialization is a mechanism of converting the state of an in-memory object into a byte stream — e.g. storing the object into a file

Employee emp= new Employee();
String filename = "employee.ser";
FileOutputStream file = new FileOutputStream(filename);
ObjectOutputStream out = new ObjectOutputStream(file);
out.writeObject(emp);out.close();
file.close();
String filename = "employee.ser";FileInputStream file = new FileInputStream(filename);
ObjectInputStream in = new ObjectInputStream(file);
Employee emp= (Employee)in.readObject();in.close();
file.close();
Image for post
Image for post
public class Employee implements java.io.Serializable {
}

Deserialization Vulnerability

Deserialization of untrusted data can lead to vulnerabilities that allow an attacker to execute arbitrary code.

Employee emp= (Employee)in.readObject();

Serialization Filter

To prevent Java deserialization vulnerabilities, an application has to restrict a set of classes which may be deserialized.

  • Custom filters are implemented using the ObjectInputFilter API. They allow an application to integrate finer control than pattern-based filters because they can be specific to each ObjectInputStream
!pattern1.*;pattern2.*
java jdk.serialFilter=!com.somepackage.SomeClass;example.somepackage.*; com.example.test.Application
  • JDK 8,7,6: $JAVA_HOME/lib/security/java.security
jdk.serialFilter=!com.example.Employee;
Nov 17, 2020 4:29:25 PM java.io.ObjectInputFilter$Config lambda$static$0
INFO: Creating serialization filter from !com.example.Employee;
Exception in thread "main" java.io.InvalidClassException: filter status: REJECTED
at java.base/java.io.ObjectInputStream.filterCheck(ObjectInputStream.java:1287)
at java.base/java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1896)
at java.base/java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1772)
at java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2060)
at java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1594)
at java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:430)
at com.example.SerializationFilter.main(SerializationFilter.java:26)

Custom Filter

Custom filters are filters you specify in your application’s code. They are set on an individual stream or on all streams in a process. You can implement a custom filter as a pattern, a method, a lambda expression, or a class.

FileInputStream fileread = new FileInputStream(filename);
ObjectInputStream in = new ObjectInputStream(fileread);
ObjectInputFilter filesOnlyFilter = ObjectInputFilter.Config.createFilter("!com.example.Employee;");
in.setObjectInputFilter(filesOnlyFilter);
Employee empread= (Employee)in.readObject();
ObjectInputFilter filesOnlyFilter = ObjectInputFilter.Config.createFilter("!com.example.Employee;");ObjectInputFilter.Config.setSerialFilter(filesOnlyFilter);
FileInputStream fileread = new FileInputStream(filename);
ObjectInputStream in = new ObjectInputStream(fileread);
in.setObjectInputFilter(new CustomClassFilter());Employee empread= (Employee)in.readObject();
FileInputStream fileread = new FileInputStream(filename);
ObjectInputStream in = new ObjectInputStream(fileread);
in.setObjectInputFilter(CustomMethodFilter::classFilter);
Employee empread= (Employee)in.readObject();
FileInputStream fileread = new FileInputStream(filename);
ObjectInputStream in = new ObjectInputStream(fileread);
in.setObjectInputFilter(info -> ((info.serialClass()!=null) && info.serialClass().getName().equals("com.example.Employee")) ? Status.REJECTED : Status.UNDECIDED);Employee empread= (Employee)in.readObject();

Tech Learnings

Everything about Tech Learnings

Thanks to Zack Shapiro

Albin Issac

Written by

Working as a Software Architect on Marketing Technologies. Reach out to me on Linkedin: https://www.linkedin.com/in/albin-issac-56917523/

Tech Learnings

Everything about Tech learnings — Coding,Design, tutorials and more learnings

Albin Issac

Written by

Working as a Software Architect on Marketing Technologies. Reach out to me on Linkedin: https://www.linkedin.com/in/albin-issac-56917523/

Tech Learnings

Everything about Tech learnings — Coding,Design, tutorials and more learnings

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store