New to CAPEC? Start Here
Home > CAPEC List > CAPEC-586: Object Injection (Version 3.9)  

CAPEC-586: Object Injection

Attack Pattern ID: 586
Abstraction: Meta
View customized information:
+ Description
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.
+ Likelihood Of Attack

Medium

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
The target application must unserialize data before validation.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Availability
Resource Consumption
Integrity
Modify Data
Authorization
Execute Unauthorized Commands
+ Mitigations

Implementation: Validate object before deserialization process

Design: Limit which types can be deserialized.

Implementation: Avoid having unnecessary types or gadgets available that can be leveraged for malicious ends. Use an allowlist of acceptable classes.

Implementation: Keep session state on the server, when possible.

+ References
[REF-468] "Deserialization of Untrusted Data". OWASP. 2017-01.
+ Content History
Submissions
Submission DateSubmitterOrganization
2017-02-06
(Version 2.9)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2018-07-31
(Version 2.12)
CAPEC Content TeamThe MITRE Corporation
Updated References, Related_Weaknesses
2020-07-30
(Version 3.3)
CAPEC Content TeamThe MITRE Corporation
Updated Mitigations
2020-12-17
(Version 3.4)
CAPEC Content TeamThe MITRE Corporation
Updated Mitigations
More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018