Object serialization allows an object's state to be saved as a sequence of bytes and then reconstituted at a later time. Default serialization lacks protection for serialized data that has been serialized. An attacker who gains access to the serialized data can use it to discover sensitive datainformation, to determine implementation details of the objects, and for many other purposes. Similarly, an An attacker can also modify the serialized data in an attempt to compromise the system when the malicious data is deserialized. Consequently, sensitive data that is serialized is potentially exposed, without regard to the access qualifiers (such as the private keyword) that were used in the original code. Moreover, the security manager lacks checks that could to guarantee the integrity of the serialized data.
...
The data members of class Point are declared as private. If the coordinates were are sensitive (as we assume for this example), their presence in the data stream would expose them to malicious tampering.
...
When serializing a class that contains sensitive data, programs must ensure that sensitive data is omitted from the serialized form. This includes both suppressing serialization of data members that contain sensitive data, and also suppressing serialization of references to non-serializable or sensitive objects.
This compliant solution both avoids the possibility of incorrect serialization and also protects sensitive data members from accidental serialization by declaring the relevant members as transient so that they are omitted from the list of fields to be serialized by the default serialization mechanism.
...
If sensitive data can be serialized, it may be transmitted over an insecure link, or stored in an insecure mediumlocation, or disclosed inappropriately.
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| CWE ID 499 "Serializable Class Containing Sensitive Data" | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a4a524a00c0e2f78-91f96104-4c33446a-a7488fa1-ee336e51858cf9e6a48cbcd2"><ac:plain-text-body><![CDATA[ | [[MITRE 2009 | AA. Bibliography#MITRE 09]] | [CWE ID 502 | http://cwe.mitre.org/data/definitions/502.html] "Deserialization of Untrusted Data" | ]]></ac:plain-text-body></ac:structured-macro> |
| CWE ID 499 "Serializable Class Containing Sensitive Data" | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ed838ea0-8d60-4492-9cbf-2ee7274b72f5"><ac:plain-text-body><![CDATA[ | [[SCG 2009 | AA. Bibliography#SCG 09]] | Guideline 5-2 Guard sensitive data during serialization | ]]></ac:plain-text-body></ac:structured-macro> |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0222b9ff0be544bf-1d2210a8-4a1e4206-9aa3aacb-d3cd5c189eaaec4557e1a38f"><ac:plain-text-body><![CDATA[ | [[Bloch 2005 | AA. Bibliography#Bloch 05]] | Puzzle 83: Dyslexic Monotheism | ]]></ac:plain-text-body></ac:structured-macro> | |||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e29bb9ffc13cefed-507b1a03-42454952-8b2285eb-b0ff90405934e3b34afe73fc"><ac:plain-text-body><![CDATA[ | [[Bloch 2001 | AA. Bibliography#Bloch 01]] | Item 1: Enforce the singleton property with a private constructor | ]]></ac:plain-text-body></ac:structured-macro> | |||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a239cf8ea5c6ed7a-11966a97-41034d1e-9aedad9d-5aede05c5e4e442270ed13ed"><ac:plain-text-body><![CDATA[ | [[Greanier 2000 | AA. Bibliography#Greanier 00]] | [Discover the secrets of the Java Serialization API | http://java.sun.com/developer/technicalArticles/Programming/serialization/] | ]]></ac:plain-text-body></ac:structured-macro> | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5ec81a8b621238a8-c00846ae-41aa4c33-9e3eb551-1b3792360db30f48470524a6"><ac:plain-text-body><![CDATA[ | [[Harold 1999 | AA. Bibliography#Harold 99]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f01c46e040396dcc-fd686b90-4f7445b4-bc2583c6-0578f48d3722cd7b1dd3ff8c"><ac:plain-text-body><![CDATA[ | [[JLS 2005 | AA. Bibliography#JLS 05]] | [Transient modifier | http://java.sun.com/docs/books/jls/third_edition/html/classes.html#37020] | ]]></ac:plain-text-body></ac:structured-macro> | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a4074b1df0076c4c-7c8923a8-45004334-9a54bf6f-d7ea86ba4faad542cd3a1ed4"><ac:plain-text-body><![CDATA[ | [[Long 2005 | AA. Bibliography#Long 05]] | Section 2.4, Serialization | ]]></ac:plain-text-body></ac:structured-macro> | |||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0f9af71c6f91abba-7d18733c-458a4aae-8831-408486bc25df"><ac:plain-text-body><![CDATA[ | [[SCG 2009 | AA. Bibliography#SCG 09]] | Guideline 5-2 Guard sensitive data during serialization | ]]></ac:plain-text-body></ac:structured-macro> | <ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e443bd8a-691b-41e6-9ea0-b41d72652b64a4bf-3994b5c0403b"><ac:plain-text-body><![CDATA[ | [[Sun 2006 | AA. Bibliography#Sun 06]] | "Serialization specification: A.4 Preventing Serialization of Sensitive Data" | ]]></ac:plain-text-body></ac:structured-macro> |
...