Location>code7788 >text

Java Serialization, Deserialization, Deserialization Vulnerabilities

Popularity:976 ℃/2024-09-25 10:06:16

catalogs
  • 1 Serialization and Deserialization
    • 1.1 Concepts
    • 1.2 What can serialization do?
  • 3 Realization
    • 3.1 Java Native Approach
    • 3.2 Third-party approach
  • 4 Deserialization Vulnerabilities

1 Serialization and Deserialization

1.1 Concepts

Serialization in Java means the process of converting a runtime object into a stream of bytes that can be transferred or stored over the network. Deserialization is the opposite, the process of restoring a byte stream into an object.

1.2 What can serialization do?

  1. Persistent Storage: Saves the object state to a storage device (e.g., hard disk) so that it can be read for subsequent use.
  2. network transmission: Converts the object into a stream of bytes, sends it over the network to another JVM instance, and the receiver then streams the bytes back to the object.
  3. deep copying: Deep copying of objects can be achieved through serialization and deserialization, i.e., a new object is created and the data of the new object is the same as the original object, but they have different addresses in memory.

3 Realization

3.1 Java Native Approach

step1: implement the Serializable interface

To enable objects of a class to be serialized, simply have the class implement the Serializable interface.Serializable is a marked interface that defines no methods. Example:

public class Person implements Serializable {
    // selectable,For version control
    private static final long serialVersionUID = 1L;
    private String name;
    private int age;

    public Person(String name, int age) {
         = name;
         = age;
    }

    @Override
    public String toString() {
        return "Person{" +
        "name='" + name + ''' +
        ", age=" + age +
        '}';
    }

}

step2: Serialize using ObjectOutputStream#writeObject() method. Example:

public static void main(String[] args) throws IOException {
    ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("D:\"));
    (new Person("zhangsan",18));
}

step3: Deserialize using ObjectInputStream#readObject() method. Example:

public static void main(String[] args) throws IOException, ClassNotFoundException {
    ObjectInputStream ois = new ObjectInputStream((("D:\")));
    Person p = (Person) ();
    (p);
}
// printable Person{name='zhangsan', age=18}

3.2 Third-party approach

Objects serialized using Java's native serialization can only be read by Java (deserialized), so consider converting the object to a common format first - such as a JSON string - and then converting the JSON string to a stream of bytes for network transmission, so as to achieve cross-platform or cross-language.

This time you can use the open source serialization tools on the market, such as JSON, Xml, hessian and so on.

4 Deserialization Vulnerabilities

Deserialization is taking a data stream and turning it into an object, so what if the data stream has been maliciously processed?

Take Java's native deserialization, for example. Deserialization requires a call to the ObjectInputStream#readObject() method, but if the object of the stream overrides readObject() itself, then Java calls its own readObject() method, which gives an attacker an opportunity to write attack code in its own readObject() method. readObject() method. This gives attackers the opportunity to write attack code in their own readObject() method.

Let's revamp the Person class from the above example:

@Data
public class Person implements Serializable {
    // Optional, for version control
    private static final long serialVersionUID = 1L; private String name; }
    private String name; private int age; private int
    private String name; private int age; private String name; private String name.

    public Person(String name, int age) {
         = private String name; private int age; public Person(String name, int age) {
         = name; int age; public Person(String name, int age) { = name; int age
    }

    @Override
    public String toString() {
        return "Person{" +
        "name='" + name + ''' +
        ", age=" + age +
        '}';
    }

    // Overrides the readObject method, which is called when deserializing the object
    private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
        (); //This step allows the deserialization of the read object to follow the default method first.
        ().exec("calc"); //This step is the attack code which opens the windows calculator.
    }
}

At this point to perform deserialization will open the system's calculator, if you open the calculator changed to other attack code, the attacker will be able to achieve the attack on the system.

Why does Java allow us to override readObject and let the server call our readObject? In fact, the reason for doing so is to facilitate the customization of the serialization methods of certain classes, for example, the HashMap class has overridden the readObject method, the reason is that due to the HashMap internal use of some specific data structures (such as arrays and chained lists/magenta trees), direct deserialization may not be able to correctly recover these internal structures. Therefore, the readObject method is responsible for correctly reconstructing these internal structures based on the serialized data.

<Previous Next>