Research into Occurrence of Insecurely-Serialized Objects in Client-Side Code of Web-Applications

This paper studies the occurrence of insecure deserialization in communication between client-side code and the server-side of a web application. Special attention was paid to serialized objects sent from JavaScript client-side code. Specific patterns of using serialized objects within the client-side JavaScript code were identified and unique classes were formulated, whose main goal is to facilitate manual and automatic analysis of web applications. A tool that detects a serialized object in the client-side code of a web page has been designed and implemented. This tool is capable of finding encoded serialized objects as well as serialized objects encoded using several sequentially applied encodings. For found samples of serialized objects, the tool determines the context in which the found object appears on the page. For objects inside JavaScript code, the tool identifies the previously mentioned classes by mapping the vertices of the abstract syntax tree (AST) of the code. Web application endpoints were checked for whether programming objects were deserialized on the server side, after obtaining the results of the study. As a result of this check, previously unknown vulnerabilities were found, which were reported to the developers of this software. One of them was identified as CVE-2022-24108. Based on the results of this research, a method was proposed to facilitate both manual and automated searches for vulnerabilities of the "Deserialization of untrusted data". The proposed algorithm was tested on more than 50,000 web application pages from the Alexa Top 1M list, as well as on 20,000 web application pages from Bug Bounty programs.

1. K. Nath, S. Dhar and S. Basishtha, "Web 1.0 to Web 3.0 - Evolution of the Web and its various challenges," 2014 International Conference on Reliability Optimization and Information Technology (ICROIT), 2014, pp. 86-89, doi: 10.1109/ICROIT.2014.6798297.

2. Nikolaos Koutroumpouchos, Georgios Lavdanis, Eleni Veroni, Christoforos Ntantogian, and Christos Xenakis. 2019. ObjectMap: detecting insecure object deserialization. In Proceedings of the 23rd Pan-Hellenic Conference on Informatics (PCI '19). Association for Computing Machinery, New York, NY, USA, 67–72. https://doi.org/10.1145/3368640.3368680

3. Bach-Nutman M. Understanding the top 10 owasp vulnerabilities //arXiv preprint arXiv:2012.09960. – 2020. Available at: https://arxiv.org/pdf/2012.09960.pdf, accessed at 04.03.2023

4. Shcherbakov M., Balliu M. SerialDetector: Principled and practical exploration of object injection vulnerabilities for the web. Network and Distributed Systems Security (NDSS) Symposium 202121-24 February 2021. – 2021.

5. Sabatini, Alessandro. "Evaluating the testability of insecure deserialization vulnerabilities via static analysis." (2022). Available at: https://www.politesi.polimi.it/bitstream/10589/187947/3/Thesis%20Sabatini%20Alessandro.pdf, accessed at 03.04.2023

6. Esser S. Shocking News in PHP Exploitation //Power of Community (POC). – 2009. Available at: https://informatik.rub.de/wp-content/uploads/2021/11/hackpra09_fu_esser_php_exploits1.pdf, accessed at 04.03.2023

7. Esser, Stefan. "Utilizing code reuse or return oriented programming in PHP applications." BlackHat USA 69 (2010).

8. Sigalov, Daniil Alekseevich, Arthur Akramovich Khashaev, and Denis Yur'evich Gamayunov. "Detecting server-side endpoints in web applications based on static analysis of client-side JavaScript code." Prikladnaya Diskretnaya Matematika 3 (2021): 32-54. 32-54. Available at: https://cyberleninka.ru/article/n/obnaruzhenie-servernyh-tochek-vzaimodeystviya-v-veb-prilozheniyah-na-osnove-analiza-klientskogo-javascript-koda/viewer, accessed at 04.03.2023

9. Razdobarov A. V., Petukhov A. A., and Gamayunov D. Yu. Problems overview for modern web applications vulnerabilities discovery. Problemy Informatsionnoy Bezopasnosti. Komp’yuternye Sistemy, 2015, no. 4, pp. 64–69. (in Russian)

10. Pradel, Michael, Parker Schuh, and Koushik Sen. "TypeDevil: Dynamic type inconsistency analysis for JavaScript." 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering. Vol. 1. IEEE, 2015.

11. Park, Changhee, and Sukyoung Ryu. "Scalable and precise static analysis of JavaScript applications via loop-sensitivity." 29th European Conference on Object-Oriented Programming (ECOOP 2015). Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, 2015. Available at: https://drops.dagstuhl.de/opus/volltexte/2015/5245/pdf/35.pdf, accessed at 04.03.2023

12. Lin, Jiahuei, Mohammed Sayagh, and Ahmed E. Hassan. "The Co-evolution of the WordPress Platform and its Plugins." ACM Transactions on Software Engineering and Methodology 32.1 (2023): 1-24.

13. Patel, Savan K., V. R. Rathod, and Jigna B. Prajapati. "Performance analysis of content management systems-joomla, drupal and wordpress." International Journal of Computer Applications 21.4 (2011): 39-43. Available at https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=174a32cc9685783321238150dd53ffe98ebfc009, accessed at 04.03.2023

14. Walshe, Thomas, and Andrew Simpson. "An empirical study of bug bounty programs." 2020 IEEE 2nd International Workshop on Intelligent Bug Fixing (IBF). IEEE, 2020.