Insecure Deserialization

Insecure deserialization is a vulnerability that occurs when untrusted data is deserialized without sufficient validation, allowing an attacker to manipulate the serialized object to execute arbitrary code.

In PHP, the most common vector is the native unserialize() function. When user-controlled data is passed to unserialize(), an attacker can craft a malicious serialized payload that instantiates arbitrary classes available in the application’s scope. By targeting classes that implement magic methods such as __wakeup(), __destruct(), or __toString(), the attacker can chain method calls, known as a Property Oriented Programming chain, to achieve remote code execution.

OWASP lists insecure deserialization as one of the Top 10 web application security risks.

Mitigations include: never deserializing untrusted data with native unserialize(); using safer formats such as JSON; using the allowed_classes option to whitelist permitted classes; and using HMAC signatures to authenticate serialized payloads.

<?php

    // VULNERABLE: passing user input directly to unserialize()
    $data = $_GET['data'];
    $obj  = unserialize($data); // Dangerous!

    // SAFER: use JSON for untrusted data
    $obj = json_decode($_GET['data']);

    // SAFER: restrict allowed classes when unserialize is necessary
    $obj = unserialize($data, ['allowed_classes' => [MyValueObject::class]]);

?>

Documentation

See also OWASP: PHP Object Injection, OWASP Top 10 A8: Insecure Deserialization, Developing a custom gadget chain for PHP deserialization and The Quiet Shift Reshaping PHP Security.

Related : Serialization, Unserialization, Object Injection, __wakeup() Method, __unserialize() Method, Attack, Vulnerability, OWASP, Security, Pop, Static Application Security Testing (SAST)