Java Deserialization Prevention When Using XStream
Author(s):
Muhammad Akbar
Publish date: Jun 19, 2019
Publish date: Jun 19, 2019
Java deserialization attacks can result in remote code execution. XStream deserializes user input and is potentially susceptible to deserialization and remote code execution attacks. XStream provides XStream Security Framework to whitelist the classes to be derialized, thus preventing the attack.
XStream uses the AnyTypePermission by default, i.e. any type is accepted. You have to clear out this default and register your own permissions to activate the security framework. An example fix is as below:
final static String[] XSTREAM_TYPES_ALLOWED_FOR_DESERIALIZATION = {
"com.corp.prod.**",
"com.oss.classes.**"};
XStream xstream = new XStream();
// clear out existing permissions and set own ones
xstream.addPermission(NoTypePermission.NONE);
// allow your own types here, for example:
xstream.addPermission(NullPermission.NULL);
xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
xstream.addPermission(ArrayTypePermission.ARRAYS);
xstream.allowTypeHierarchy(String.class);
xstream.allowTypesByWildcard(XSTREAM_TYPES_ALLOWED_FOR_DESERIALIZATION);
References
- https://github.com/restlet/restlet-framework-java/wiki/XStream-security-enhancements
- https://x-stream.github.io/security.html
Please take a moment to share this post:
Twitter,
LinkedIn.
.
Thank you!
.
Thank you!