Add Testing for Deserialisation of Untrusted Data

[itscooper]

https://cwe.mitre.org/data/definitions/502.html

[salecharohit]

Hi ,

I have delivered a workshop on this topic and would like to contribute in the testing guide by adding details on how to go about finding these issues in various languages like java,php,python,node..js and .NET

Please guide me as to how can i add the details

[vermava]

Hi Team, I am picking up the topic and working on it

Thank You
Vandana

[RiieCco]

Hey @vermava,

How far did you get with writing test scenario's for this one?
I can maybe give some assistance here since we also already have labs for insecure
deserialization.

https://owasp-skf.gitbook.io/asvs-write-ups/kbid-xxx-deserialisation-yaml
https://owasp-skf.gitbook.io/asvs-write-ups/kbid-xxx-des-pickle-2

[ThunderSon]

@RiieCco I tried tagging Verma on another issue. No replies. You can move forward with this 😄

[kingthorin]

@RiieCco are you going to be able to tackle this?

[Hsiang-Chih]

For serialization issue, there are blackbox and whitebox approaches.
Refer to the section I have done for the CheatSheet. Let me know any section I can help to add?
Deserialization_Cheat_Sheet.html

[ThunderSon]

Looking at the CS, that CS should belong in this project. It's purely offensive.
@rbsec @kingthorin what are your thoughts on this?

[kingthorin]

It ends with some offensive references but the majority of the article is about Deserializing Safely (from my skim of the content).

As for white vs blackbox. Although code review is mentioned in the TG it isn't really "testing", so blackbox is probably more applicable (ex: ways you'd identify and exploit during a penetration test or leveraging DAST).

[rbsec]

The black/white box review stuff doesn't really belong, but there's a load of defensive stuff for Java and .NET.

It could certainly do with a cleanup, but I think it still has a place the in the cheat sheets project.

[ThunderSon]

Lovely. This is something we can look at. (Rick it's not porting the whole CS)

Getting data from that CS for the WSTG, and refreshing the focus and look of the Deserialization CS.

[kingthorin]

Sounds good 👍

[Hsiang-Chih]

1. "How to test for Deserialisation of Untrusted Data" Is there any existing section or it will be a new section?

2. agree that the whitebox review can't verify the deserialization results, it can only narrow the scope

[ThunderSon]

This needs to be added. I am getting vibes of adding this to Business Logic Testing, as it's on an object level and how processing is going to handle the object. If not, we downgrade to Input Val Testing
@kingthorin let me know what you think.

[kingthorin]

To me it's an Input Validation issue. Business Logic is more specific for things like improper handling of pricing, rebates, HR processes, orders, manufacturing, etc.

[jespunya]

I agree with @kingthorin this is more regarding about Input Validation since it's the abuse of unexpected inputs to perform an action not desired or authorized. Commonly the impact would be a Business Logic exploitation but that's not a must condition. For example you can have an XML bomb that would be part of the deserialization of untrusted Data and results in a DoS instead of the manipulation of the Business Logic.

[ThunderSon]

Mhm, agreed. I had a discussion back then with @kingthorin and we agreed on it being in Input Validation.
@Hsiang-Chih to answer you (apologies), this will have to be a new section.

[github-actions]

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

[kingthorin]

@vermava @RiieCco any news?

[RiieCco]

@kingthorin, i am on it again!

[RiieCco]

Almost finished, need to put in some scan output results in the file. Had a couple of busy weeks but i expect to finish it soon for a first PR ^^

[RiieCco]

@kingthorin, I will create the PR next week! :-)

[github-actions]

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

[github-actions]

Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.

[RiieCco]

I am still working on this one, sadly i got a massive burn out after wanting to commit this.
I can send to anybody who wants to pick up on this what i already had written on the subject?

Otherwise i will commit in due time when i am getting back on track again :-)

[kingthorin]

No problem, thanks for the update. Whenever you get to it is great. Don’t let stale bot get to ya.

[RiieCco]

@kingthorin hahaha will do, thanks! ^^

[alex97saba]

Hi everyone,
How far did you go in the project? I would like to continue your work if help is needed.
Thank you

[ThunderSon]

@RiieCco Hello mate! :)
Would you be able to coordinate with @alex97saba to move the needle on this? Maybe provide write access on the branch and then open a draft PR. Let us know if we can help.

[RiieCco]

Hey @ThunderSon sure thing!

It has literally been 6months since i last touched a laptop so i will need to check things a bit.
@alex97saba thank you very much for helping out man! i will set up everything as soon as possible!
Also, can i find you on the OWASP slack channel for discussions etc? :-)

Cheers!

[ThunderSon]

I am not sure @alex97saba is on slack, but there is a channel testing-guide if you need that :)

[alex97saba]

Thank you very much @RiieCco, I just wrote you on slack (hoping is the right person :) ).

[github-actions]

Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.