CWE-499: Serializable Class Containing Sensitive Data

Description

The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class.

Extended Description

Serializable classes are effectively open classes since data cannot be hidden in them. Classes that do not explicitly deny serialization can be serialized by any other class, which can then in turn use the data stored inside it.

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

No observed examples available.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: Read Application Data — Notes: an attacker can write out the class to a byte stream, then extract the important data from it.

Potential Mitigations

Implementation: In Java, explicitly define final writeObject() to prevent serialization. This is the recommended solution. Define the writeObject() function to throw an exception explicitly denying serialization. (N/A)
Implementation: Make sure to prevent serialization of your objects. (N/A)

Applicable Platforms

Java (N/A, Undetermined)

Demonstrative Examples

Intro: This code creates a new record for a medical patient:

Body: This object does not explicitly deny serialization, allowing an attacker to serialize an instance of this object and gain a patient's name and Social Security number even though those fields are private.

class PatientRecord { private String name; private String socialSecurityNum; public Patient(String name,String ssn) { this.SetName(name); this.SetSocialSecurityNumber(ssn); } }

Notes

No notes available.

← Back to CWE list