In this video of code decode we have explained Serialization vs externalization and serialization vulnerabilities.
Udemy Course of Code Decode on Microservice k8s AWS CICD link:
https://openinapp.co/udemycourse
Course Description Video :
https://yt.openinapp.co/dmjvd
What is a Java deserialize vulnerability
A Java deserialize vulnerability is a security vulnerability that occurs when a malicious user tries to insert a modified serialized object into the system in order to compromise the system or its data.
A serialized object in Java is a byte array with state information. If you look at a stored serialized object with a hex-editor, you can enclose and manipulate the information quickly.
Thus If an application accepts serialized objects, it is relatively easy to tamper with the values. By altering the serialized objects, we can create invalid objects, alter the data’s integrity, or worse.
How to prevent a Java deserialize vulnerability?
The best way to prevent a Java deserialize vulnerability is to prevent Java serialization overall. If your application doesn’t accept serialized objects, it can’t hurt you.
However, if you do need to implement the `serializable` interface due to inheritance, you can override the readObject(), as seen below, to prevent actual deserialization.
private final void readObject(ObjectInputStream in) throws java.io.IOException {
throw new java.io.IOException("Deserialized not allowed");
}
Do Not Accept Serialized Objects from Untrusted Sources
Keep your .ser file at secure location. keep it restricted and only authorized persons can access that file
Dont store passwords like sensitive info as serialization is prone to vulnerabilities.
What inheritance rules applies with Serialization Deserialization of child or parent class?
If the superclass is serializable, then subclass is automatically serializable.
if the superclass is Serializable, then by default, every subclass is serializable. Hence, even though subclass doesn’t implement Serializable interface( and if its superclass implements Serializable), then we can serialize subclass object.
If a superclass is not serializable, then subclass can still be serialized
Even though the superclass doesn’t implement a Serializable interface, we can serialize subclass objects if the subclass itself implements a Serializable interface. So we can say that to serialize subclass objects, superclass need not be serializable. But what happens with the instances of superclass during serialization in this case.
Most Asked Core Java Interview Questions and Answers : https://youtube.com/playlist?list=PLyHJZXNdCXscoyL5XEZoHHZ86_6h3GWE1
Advance Java Interview Questions and Answers : https://youtube.com/playlist?list=PLyHJZXNdCXsexOO1VQ4vs-BM2-8CKrixd
Java 8 Interview Questions and Answers : https://youtube.com/playlist?list=PLyHJZXNdCXsdeusn4OM33415DCMQ6sUKy
Hibernate Interview Questions and Answers : https://youtube.com/playlist?list=PLyHJZXNdCXsdC-p2186C6NO4FpadnCC_q
Spring Boot Interview Questions and Answers : https://youtube.com/playlist?list=PLyHJZXNdCXsexOO1VQ4vs-BM2-8CKrixd
Angular Playlist : https://www.youtube.com/watch?v=CAl7RQSdq2Q&list=PLyHJZXNdCXsfxRtDwtGkDD_lLfTWc1g0i
SQL Playlist : https://www.youtube.com/playlist?list=PLyHJZXNdCXse86eLuwy5uZohd_bddE9Ni
GIT : https://youtube.com/playlist?list=PLyHJZXNdCXscpl6pxOnL2lRWJlzvzjyZE
Subscriber and Follow Code Decode
Subscriber Code Decode : https://www.youtube.com/c/CodeDecode?sub_confirmation=1
LinkedIn : https://www.linkedin.com/in/codedecodeyoutube/
Instagram : https://www.instagram.com/codedecode25/
#singletondoublecheckedlocking #codedecode #javainterviewquestion