A8:2017 - Insecure Deserialization

• OWASP Documentation

Actions by GeneXus

• GeneXus brings serialization/deserialization secure mechanisms as FromJSON, ToJSON, FromXML & ToXML.
• When the SDT's ToXML or ToJSON functions are used GeneXus codes the entries.
• When the XML is manually readed/writen XMLWriter and XMLReader functions code/decode the entries and values accordingly.

Actions by Developers

• Sanitize user's entries if those are concatenated to an XML and charged using FromXML function.
  • Security Scanner helps to detect this scenario with case code #126
  • The use of System.Security.SecurityElement.Escape from.Net Framework or org.owasp.esapi.Encoder.encodeForXML from ESAPI for Java is adviced.
• If the function WriteRawText of XMLWriter is used the developer must sanitize user's entires.
  • Security Scanner helps to detect this scenario with case code  #128
  • The use of System.Security.SecurityElement.Escape from.Net Framework or org.owasp.esapi.Encoder.encodeForXML from ESAPI for Java is adviced.
  • Use ValidationType property to validate XML format.
    • Security Scanner helps to detect this scenario with case code #113
• Sanitize user's entries if those are concatenated to a JSON and charged using FromJSON function.
  • Security Scanner helps to detect this scenario with case code #127.
  • The use of System.Web.Serialization.JavaScriptSerializer.Serialize from .Net Framework or org.owasp.esapi.Encoder.encodeForJavascript from ESAPI for Java is adviced.
• Security Scanner - Detections:
  • SDT.FromXml() pattern usage (#126), SDT.FromJson() pattern usage (#127), SDT.FromXmlFile() pattern usage (#134), SDT.FromJsonFile() pattern usage (#135).