kantega/notsoserial kantega/notsoserial

  • Stars
    star
    178
  • Rank 209,423 (Top 5 %)
  • Language
    Java
  • License
    Apache License 2.0
  • Created over 8 years ago
  • Updated about 8 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
kantega/notsoserial
github

kantega

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Java Agent which mitigates deserialisation attacks by making certain classes unserializable

NotSoSerial

Build Status

NotSoSerial is a Java Agent designed as a mitigation effort against deserialization attacks.

Think of it as a "deserialization firewall". It gives you complete control over which classes your application should be allowed to deserialize.

See http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ for details on this attack.

How does it work?

NotSoSerial makes some well known vulnerable classes effectively non-deserializable by preventing them from loading.

It does so by adding a check just before the call to ObjectInputStream.resolveClass. If the class is not allowed, an UnsupportedOperationException is called instead of calling resolveClass.

This means the class never even gets loaded.

Usage

Build NotSoSerial:

mvn clean install

This builds an NotSoSerial jar file in target/notsoserial-1.0-SNAPSHOT.jar

Copy this as notsoserial.jar to your application, and add the following parameters to your Java startup script:

-javaagent:notsoserial.jar

PLEASE NOTE: In this mode, NotSoSerial only blocks a few known vulnerabilities. It does not fix the problem with deserialization attacks. It only knows about some well known classes for which it rejects deserialization. See below how you can whitelist or completely reject any objects to be deserialized.

Which classes are rejected?

By default, NotSoSerial rejects deserialization of the following classes:

  • org.apache.commons.collections.functors.InvokerTransformer
  • org.apache.commons.collections.functors.InstantiateTransformer
  • org.apache.commons.collections4.functors.InvokerTransformer
  • org.apache.commons.collections4.functors.InstantiateTransformer
  • org.codehaus.groovy.runtime.ConvertedClosure
  • org.codehaus.groovy.runtime.MethodClosure
  • org.springframework.beans.factory.ObjectFactory
  • com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl

You can add your own classes blacklist by configuring a blacklist file like this:

-javaagent:notsoserial.jar -Dnotsoserial.blacklist=my-blacklist.txt

Where my-blacklist.txt is a file with one class or package per line.

Whitelisting mode

As always, it would be better if we could accept only classes we explicitly want to allow for deserialization. Rejecting based on a whitelist is better security than rejecting based on a blacklist.

To help build a whitelist file with legitimately serializable classes, a 'dryrun' option has been added. Together with an empty white list, this will create a list of classes which your application actually deserializes.

This can be produced by configuring the agent as follows:

-javaagent:notsoserial.jar -Dnotsoserial.whitelist=empty.txt -Dnotsoserial.dryrun=is-deserialized.txt

Where 'empty.txt' is an empty file and 'is-deserialized.txt' is a file where the names of your actually deserialized classes will be written to.

After you are confident that all deserializable classes in your application have been recorded, you may restart your app, now reusing the recorded-as-serialized file as the whitelist:

-javaagent:notsoserial.jar -Dnotsoserial.whitelist=is-deserialized.txt

What happens when NotSoSerial rejects a deserialization attempt?

An Exception will be thrown, looking something like this:

java.lang.UnsupportedOperationException: Deserialization not allowed for class java.util.concurrent.locks.AbstractOwnableSynchronizer
	at org.kantega.notsoserial.NotSoSerialClassFileTransformer.preventDeserialization(NotSoSerialClassFileTransformer.java:119)

Rejecting deserialization entirely

Just use an empty whitelist. Preliminary testing with a non-trivial Java application (which does not intentionally use RMI or other serialization) seems to indicate that this might work just fine. Looks like the JDK might not need serialization for any of its internal operations.

Tracing deserialization

You might be interested not just in which classes your application deserializes, but also where in your code deserialization happens.

This can be enabled by using the 'trace' option, like the following:

 -javaagent:notsoserial.jar -Dnotsoserial.whitelist=empty.txt -Dnotsoserial.dryrun=is-deserialized.txt -Dnotsoserial.trace=deserialize-trace.txt

This will produce a file deserialize-trace.txt that looks something like this:

Deserialization of class java.util.PriorityQueue (on Mon Nov 09 19:34:26 CET 2015)
         at org.kantega.notsoserial.WithDryRunWhitelistAndTraceIT.deserialize

More Repositories

1

react-and-spring

Example of a Spring Boot project with a React frontend
JavaScript
477
star
2

kwashc

Kantega Web Application Security Hero Challenge
CSS
20
star
3

storm-twitter-workshop

Java
17
star
4

KantId

Library for identity identification
Java
11
star
5

kson

Simple and safe json parsing, writing and converting.
Java
9
star
6

leafletworkshop

JavaScript
9
star
7

elevation-of-mlsec

Elevation of MLsec: a threat-modeling card game for machine learning systems
9
star
8

revoc

Java
8
star
9

Flyt-cms

Java
7
star
10

quarkus-ad

Role Based Access Control with Azure AD and Quarkus OIDC
HTML
6
star
11

lonnsmodell

Kantegas lønnsmodell
6
star
12

heroku-demo

Learn how to work with Heroku Pipelines
JavaScript
6
star
13

meetingrooms

Meeting rooms
Objective-C
5
star
14

ai-dev-workshop

Workshop for bruk av AI-verktøy (som ChatGPT og Github Copilot) i utviklingsarbeid
JavaScript
4
star
15

sql-dsl

sql like DSL for java programmer to write sql instead of using strings
Java
3
star
16

respiro

Modular, developer-friendly integration platform
Java
3
star
17

eloplay

Kantegas eget leaderboard for bordtennis
TypeScript
3
star
18

Friskt-blod-til-hodet

Føring av statistikk for fysisk aktivitet
Java
2
star
19

metrics-workshop

CSS
2
star
20

Dogmatic-mvc

Java
2
star
21

vc-inspector

An open source tool for inspecting and debugging verifiable credentials
TypeScript
2
star
22

tweet-booster

Twitter wall for the Booster conference
JavaScript
2
star
23

essql

Very thin sql helper library
Java
1
star
24

techtest

App for performance / stability testing workshop
Java
1
star
25

impresio

Demo code for programmatic access to video using Java and HTML5 / Javascript
Java
1
star
26

reststop

Reststop - friction-free web development
Java
1
star
27

oidc-workshop-public

Workshop hvor ein lærer å logge inn en bruker ved hjelp av OIDC
CSS
1
star
28

correct-by-construction

A series of articles about maximizing the use of the compiler
Java
1
star
29

Flyt-forum-plugin

Java
1
star
30

html5pixelmagic

Workshop code for HTML5 Pixel Magic
JavaScript
1
star
31

picojam

Python
1
star
32

niagara-workshop-server

Java
1
star
33

bytecodez

Workshop code for learning about Java Byte Code, instrumentation, Java Agents and Code Coverage
Java
1
star
34

vipps-demo

Learn how to integrate your Spring Boot application with Vipps payment.
Java
1
star
35

htmx-workshop

Java
1
star