Uploaded image for project: 'Product Roadmaps'
  1. Product Roadmaps
  2. MMF-1869

SonarSecurity detects Java deserialization vulnerabilities

    Details

      Description

      WHY

      Talks

      Deserialization of untrusted data leading to vulnerabilities has been revealed a dozen of years ago and made popular in 2015 after Frohoff and Lawrence’s AppSecCali presentation Marshalling Pickles.
      Despite the fact this vulnerability has been on the spotlights for quite some time now, it has not been eliminated yet and continue to be the topic of talks years after years during AppSec conferences:

      Gadgets

      In parallel, tools allowing to create Gadgets (payload to be deserialized) are regularly maintaing showing that this vulnerability is still active and expoited:

      CWE Top 25

      Deserialization of Untrusted Data (CWE-502) is still part of the CWE Top 25 classification at the 23th position and as such we such cover it properly.

      We already provide a rule for Java (RSPEC-5135). It is working well in some cases and we want to be sure it's working well is almost all cases and confirm we can detect past CVEs. We need to perform the same validation work we did for SQLi rule to guaranty a high level of quality.

      WHAT

      The goal of this MMF is to be strong to detect Insecure Deserialization, meaning:

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                pierre-loup.tristant Pierre-Loup Tristant
                Reporter:
                alexandre.gigleux Alexandre Gigleux
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: