JAVA Anti-serialization attack

Source: Internet
Author: User

The process of decomposing Java objects into bytecode is called serialization, and the process of assembling a Java object from bytecode is called deserialization, which corresponds to the writeobject and readobject methods respectively. The problem is that readobject does not call the constructor when assembling a Java object with a byte stream, which means that there is no type of check, and the user can replicate the readobject() method to execute any code that it wants to execute.

This can lead to three problems:

1. A serialized object modifies an unprotected key property of an object or parent class, leading to unexpected results.   for example:

    class client {private int value;public client (INT&NBSP;V)  {        if  (v <= 0)  {             throw new runtimeexception ("Not positive  number ");        }         value = v;    }    public void writeobject ( Objectoutputstream oos)  throws IOException {         int value = 0; //here the value is changed to 0. (In reality, you can modify this value in many ways, such as debug mode, modify serialize bytecode, or class instrument)          Oos.defaultwriteobject ();     }}class controller {    private  arrayblockingqueue<client> queue;    public  Void receivestate (oin)  throws IOException, ClassNotFoundException {         Client s =  (Client) oin. ();  //deserialization does not call the constructor, and a non-0 check of value does not trigger         queue.add (s);     }    public client getclient ()  throws interruptedexception  {        return  (Client) queue.take ();     }}class Server extends Thread {    private Controller  Controller = new controller ();    private int result =  100;    public void run ()  {         while  (True)  {            try {                  result = result / controller.getclient (). GetValue ();  //  because value is 0, it causes an arithmetic exception, thread end                  thread.sleep (;           )  } catch  (Interruptedexception e)  {}        }     }}

2. An attacker could create a chain of loop objects and then serialize them. Causes deserialization to fail to end, wasting system resources. For example:

Set root = new HashSet (); Set S1 = root;  Set s2 = new HashSet (); for (int i = 0; i <; i++) {Set T1 = new HashSet ();  Set t2 = new HashSet (); T1.add ("foo");  Make T2 not equal to T1 s1.add (T1);  S1.add (T2);  S2.add (t1);  S2.add (T2);  S1 = t1; s2 = t2; } class Controller {public void receivestate (ObjectInputStream ois) {FileOutputStream fos = new Fileoutputs        Tream (New File ("Xxx.ser")); Fos.write (OIS);        You don't actually know what it is, it might be a malicious script.    Fos.close (); }}
Reference

JAVA Deserialization Attack | It addiction

http://itindex.net/detail/54975-java-%E5%BA%8F%E5%88%97%E5%8C%96


Java Deserialization Vulnerability Analysis-ssooking-Blog Park

Http://www.cnblogs.com/ssooking/p/5875215.html


Java serialization mechanisms and principles-redcreen-Blog Park

Http://www.cnblogs.com/redcreen/archive/2011/02/15/1955307.html



JAVA Anti-serialization attack

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.