Skip to main content

Find Deserialization Sinks in a Java Application

OWASP provides a Deserialization Cheat Sheet that offers guidance on how to safely deserialize untrusted data.

You can use Ocular to search for references to the relevant methods:

def sinkMethods = cpg.method.or(
_.fullName(".*(XMLdecoder|ObjectInputStream).*readObject.*"),
_.fullName(".*XStream.*fromXML.*"),
_.fullName(".*readObjectNodData|readResolve|readExternal.*"),
_.fullName(".*ObjectInputStream.*readUnshared.*"))

sinkMethods.calledBy(cpg.method).newCallChain.p

The OWASP guide also suggests hardening classes derived from Serializable. Ocular can help you identify classes that inherit directly from Serializable

cpg.typeDecl.name("Serializable").derivedTypeDecl.fullName.l

To get a list of classes that inherit from Serializable (either directly or indirectly), use:

cpg.typeDecl.name("Serializable").derivedTypeDeclTransitive.fullName.l

In the context of deserialization vulnerabilities, you may also want to review the library version. For example, to determine the version of the "XStream" library in use, run:

cpg.dependency.name(".*xstream.*").version.l