Security Test: Deserialization Attack¶

Description¶

Default Severity:

Deserialization attacks take place when an application transforms untrusted input into objects without properly checking the data first. In this process, an attacker can insert harmful code that gets executed once the data is converted, potentially letting them run commands on your system, crash your service, or steal data. This often happens when developers trust the incoming data too much or use unsafe libraries for data conversion. The key risk is that the attacker can control how the application behaves, which is why it’s critical to validate, sanitize, and restrict the types of data accepted during deserialization.

Reference:

https://cwe.mitre.org/data/definitions/502.html
- https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization.html

Configuration¶

Identifier: injection/deserialization_attack

Examples¶

All configuration available:

checks:
  injection/deserialization_attack:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API10:2023
OWASP LLM Top 10	LLM04:2023
PCI DSS	`6.5.2`
GDPR	`Article-32`
SOC2	`CC6`
PSD2	`Article-95`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`SI-10`
CWE	`502`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C`
CVSS Score	`9.8`