Pages

Tuesday, 10 May 2016

Make your classes nondeserializeable - Secure Coding in Java

Even if class isn't serializeable, it may still be deserializeable. An adversary can create a sequence of bytes that happens to deserialize to an instance of class. This is dangerous, since do not have control over what state the deserialized object is in. We can think of deserialization as another kind of public constructor for our object; unfortunately it's a kind of constructor that is difficult for us to control.

We can prevent this kind of attack by making it impossible to deserialize a byte stream into an instance of our class. We can do this by throwing IOException from readObject method.



private final void readObject(ObjectInputStream in) throws java.io.IOException {
      throw new java.io.IOException("Class cannot be deserialized");
}

No comments:

Post a Comment