Merge "Insecure Deserialization" into "Injection"

[247arjun]

The 2021 draft of the OWASP Top 10 has merged Insecure Deserialization with Supply Chain Attacks to form A08:2021-Software and Data Integrity Failures. To me, this doesn't feel like a cohesive group.

I would rather have Insecure Deserialization be merged into A03:2021-Injection since the argument can be made that Insecure Deserialization involves attacker supplied data that is not validated (the 2017 OWASP Top 10 examples could be interpreted as such).

[infosecdad]

We have had much discussion on Deserialization whether it is more in the "Injection" or "Software and Data Integrity Failures" category.

References: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html https://portswigger.net/web-security/deserialization https://cwe.mitre.org/data/definitions/502.html https://rules.sonarsource.com/java/RSPEC-5135 https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data

After reading a lot of background on it, it was decided that it's more in the Software and Data Integrity Failures category because the primary recommendation (outside of not doing it) is to sign or similarly ensure the integrity of the serialized data, with white listing classes/structure a second.

[jmanico]

A brief note.

Signing an artifact to stop deserialization attacks is relevant when the server that delivers the data is the same one that verifies it, like when handing out session data.

But historically that was not the issue, per my understanding.

Deserialization attacks mostly occurred when a API endpoint would take untrusted binary data from users/clients who would modify the data as they saw fit, like any other request tampering.

In that case, even if signatures are required, the attacker could modify the data before signing and send it to a server endpoint.

So when I hear that signatures are the primary Deserialization defense, that is news to me. I don’t see it.

[vanderaj]

The idea of the OWASP Top 10 is that you do all of it. As long as deserialization appears in the OWASP Top 10, I'm good with leaving it as is.