Page History

Serialization can also be used maliciously, to return multiple instances of a singleton-like class. In this noncompliant code example, a subclass {{SensitiveClass}} inadvertently becomes serializable as it extends the {{Exception}} class that implements {{Serializable}}. (Based on \[[Bloch 052005|AA. Java References#Bloch 05]\])

\[[JLS 052005|AA. Java References#JLS 05]\] [Transient modifier|http://java.sun.com/docs/books/jls/third_edition/html/classes.html#37020]
\[[SCG 072007|AA. Java References#SCG 07]\] Guideline 5-1 Guard sensitive data during serialization
\[[Sun 062006|AA. Java References#Sun 06]\] "Serialization specification: A.4  Preventing Serialization of Sensitive Data"
\[[Harold 991999|AA. Java References#Harold 99]\]
\[[Long 052005|AA. Java References#Long 05]\] Section 2.4, Serialization
\[[Greanier 002000|AA. Java References#Greanier 00]\] [Discover the secrets of the Java Serialization API|http://java.sun.com/developer/technicalArticles/Programming/serialization/]
\[[Bloch 052005|AA. Java References#Bloch 05]\] Puzzle 83: Dyslexic Monotheism
\[[Bloch 012001|AA. Java References#Bloch 01]\] Item 1: Enforce the singleton property with a private constructor
\[[MITRE 092009|AA. Java References#MITRE 09]\] [CWE ID 502|http://cwe.mitre.org/data/definitions/502.html] "Deserialization of Untrusted Data", [CWE ID 499|http://cwe.mitre.org/data/definitions/499.html] "Serializable Class Containing Sensitive Data"