wstg icon indicating copy to clipboard operation
wstg copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Add Testing for Deserialisation of Untrusted Data

Open itscooper opened this issue 7 years ago • 32 comments

https://cwe.mitre.org/data/definitions/502.html

itscooper avatar Jun 15 '17 11:06 itscooper

Hi ,

I have delivered a workshop on this topic and would like to contribute in the testing guide by adding details on how to go about finding these issues in various languages like java,php,python,node..js and .NET

Please guide me as to how can i add the details

salecharohit avatar Jul 18 '18 14:07 salecharohit

Hi Team, I am picking up the topic and working on it

Thank You Vandana

vermava avatar Aug 20 '19 19:08 vermava

Hey @vermava,

How far did you get with writing test scenario's for this one? I can maybe give some assistance here since we also already have labs for insecure deserialization.

https://owasp-skf.gitbook.io/asvs-write-ups/kbid-xxx-deserialisation-yaml https://owasp-skf.gitbook.io/asvs-write-ups/kbid-xxx-des-pickle-2

RiieCco avatar Jan 11 '20 20:01 RiieCco

@RiieCco I tried tagging Verma on another issue. No replies. You can move forward with this 😄

ThunderSon avatar Jan 11 '20 23:01 ThunderSon

@RiieCco are you going to be able to tackle this?

kingthorin avatar Jun 14 '20 11:06 kingthorin

For serialization issue, there are blackbox and whitebox approaches. Refer to the section I have done for the CheatSheet. Let me know any section I can help to add? Deserialization_Cheat_Sheet.html

Hsiang-Chih avatar Jun 17 '20 10:06 Hsiang-Chih

Looking at the CS, that CS should belong in this project. It's purely offensive. @rbsec @kingthorin what are your thoughts on this?

ThunderSon avatar Jun 17 '20 18:06 ThunderSon

It ends with some offensive references but the majority of the article is about Deserializing Safely (from my skim of the content).

As for white vs blackbox. Although code review is mentioned in the TG it isn't really "testing", so blackbox is probably more applicable (ex: ways you'd identify and exploit during a penetration test or leveraging DAST).

kingthorin avatar Jun 17 '20 18:06 kingthorin

The black/white box review stuff doesn't really belong, but there's a load of defensive stuff for Java and .NET.

It could certainly do with a cleanup, but I think it still has a place the in the cheat sheets project.

rbsec avatar Jun 17 '20 18:06 rbsec

Lovely. This is something we can look at. (Rick it's not porting the whole CS)

Getting data from that CS for the WSTG, and refreshing the focus and look of the Deserialization CS.

ThunderSon avatar Jun 17 '20 20:06 ThunderSon

Sounds good 👍

kingthorin avatar Jun 17 '20 21:06 kingthorin

  1. "How to test for Deserialisation of Untrusted Data" Is there any existing section or it will be a new section?

  2. agree that the whitebox review can't verify the deserialization results, it can only narrow the scope

Hsiang-Chih avatar Jun 17 '20 23:06 Hsiang-Chih

This needs to be added. I am getting vibes of adding this to Business Logic Testing, as it's on an object level and how processing is going to handle the object. If not, we downgrade to Input Val Testing @kingthorin let me know what you think.

ThunderSon avatar Jun 18 '20 08:06 ThunderSon

To me it's an Input Validation issue. Business Logic is more specific for things like improper handling of pricing, rebates, HR processes, orders, manufacturing, etc.

kingthorin avatar Jun 18 '20 12:06 kingthorin

I agree with @kingthorin this is more regarding about Input Validation since it's the abuse of unexpected inputs to perform an action not desired or authorized. Commonly the impact would be a Business Logic exploitation but that's not a must condition. For example you can have an XML bomb that would be part of the deserialization of untrusted Data and results in a DoS instead of the manipulation of the Business Logic.

jespunya avatar Jun 29 '20 22:06 jespunya

Mhm, agreed. I had a discussion back then with @kingthorin and we agreed on it being in Input Validation. @Hsiang-Chih to answer you (apologies), this will have to be a new section.

ThunderSon avatar Jul 01 '20 07:07 ThunderSon

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

github-actions[bot] avatar Aug 15 '20 00:08 github-actions[bot]

@vermava @RiieCco any news?

kingthorin avatar Nov 10 '20 20:11 kingthorin

@kingthorin, i am on it again!

RiieCco avatar Dec 14 '20 15:12 RiieCco

Almost finished, need to put in some scan output results in the file. Had a couple of busy weeks but i expect to finish it soon for a first PR ^^

RiieCco avatar Feb 05 '21 12:02 RiieCco

@kingthorin, I will create the PR next week! :-)

RiieCco avatar Apr 03 '21 16:04 RiieCco

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

github-actions[bot] avatar May 15 '21 00:05 github-actions[bot]

Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.

github-actions[bot] avatar Sep 15 '21 00:09 github-actions[bot]

I am still working on this one, sadly i got a massive burn out after wanting to commit this. I can send to anybody who wants to pick up on this what i already had written on the subject?

Otherwise i will commit in due time when i am getting back on track again :-)

RiieCco avatar Sep 15 '21 10:09 RiieCco

No problem, thanks for the update. Whenever you get to it is great. Don’t let stale bot get to ya.

kingthorin avatar Sep 15 '21 11:09 kingthorin

@kingthorin hahaha will do, thanks! ^^

RiieCco avatar Sep 15 '21 11:09 RiieCco

Hi everyone, How far did you go in the project? I would like to continue your work if help is needed. Thank you

alex97saba avatar Sep 17 '21 18:09 alex97saba

@RiieCco Hello mate! :) Would you be able to coordinate with @alex97saba to move the needle on this? Maybe provide write access on the branch and then open a draft PR. Let us know if we can help.

ThunderSon avatar Sep 20 '21 21:09 ThunderSon

Hey @ThunderSon sure thing!

It has literally been 6months since i last touched a laptop so i will need to check things a bit. @alex97saba thank you very much for helping out man! i will set up everything as soon as possible! Also, can i find you on the OWASP slack channel for discussions etc? :-)

Cheers!

RiieCco avatar Sep 21 '21 08:09 RiieCco

I am not sure @alex97saba is on slack, but there is a channel testing-guide if you need that :)

ThunderSon avatar Sep 23 '21 12:09 ThunderSon