A consistent inclusion in the OWASP top 10, insecure deserialization is a subtle but dangerous application security threat. This aptly named attack exploits data serialization, the “bread and butter” data transformation process that takes place when an object is passed from one web application to another. Under normal circumstances, when a new object is sent to an application, the object is first converted (serialized) into either a structured or binary format before passing through a network as a sequential stream of bytes. On the application’s end, the serialized file is turned back into an object (deserialized) before being interpreted by the application. Most commonly, that data is serialized using CSV, XML, or JSON format. No matter which format is used, properly securing this deserialization process is a critical piece of the design “puzzle” for any individual developer or business to solve.
The purpose of this article is to highlight the dangers of insecure deserialization attacks and demonstrate a cloud-based security API solution that can be deployed to help mitigate this threat specifically for JSON deserialization. This demonstration includes step-by-step instructions to structure your API call with Java using code examples provided further down the page.