All geek questions in one place

Fake serialization information

I am preparing for the MCTS exam 70-536 and reading the book "Self-study MCTS Kit exam 70 536 application development framework for the microsoft second edition"

In Chapter 5, Serialization, below is a statement that has alerted me.

You must check the data in your serialization constructor and throw a SerializationException if invalid data is specified. The risk is that an attacker may use your class but provide fake serialization of information in an attempt to exploit weakness.

I understand the reliability of the data, but I can’t understand how an attacker can fake serialization information. I would like to know this from the point of view of an example (either in code or in concept). I searched the web but couldn't think of anything.

+4
source share
1 answer

If you serialize your data to a file, the user can simply edit your file to make your program malfunction. Similar things can be done if you read or write to the online address (including changing data during transit, if they are not authenticated). The general topic of discussion is that there is no guarantee that serialized data is generated by your application; it can be generated by an attacker or a fuzz tester that intentionally tries to corrupt your application data structures for vulnerabilities.

+6
source

Source: https://habr.com/ru/post/1341499/

More articles:


All Articles