New to CAPEC? Start Here
Home > CAPEC List > CAPEC-586: Object Injection (Version 3.9)  

CAPEC-586: Object Injection

Attack Pattern ID: 586
Abstraction: Meta
View customized information:
+ Description
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.
+ Likelihood Of Attack


+ Typical Severity


+ Relationships
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
The target application must unserialize data before validation.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
Resource Consumption
Modify Data
Execute Unauthorized Commands
+ Mitigations

Implementation: Validate object before deserialization process

Design: Limit which types can be deserialized.

Implementation: Avoid having unnecessary types or gadgets available that can be leveraged for malicious ends. Use an allowlist of acceptable classes.

Implementation: Keep session state on the server, when possible.

+ References
[REF-468] "Deserialization of Untrusted Data". OWASP. 2017-01.
+ Content History
Submission DateSubmitterOrganization
(Version 2.9)
CAPEC Content TeamThe MITRE Corporation
Modification DateModifierOrganization
(Version 2.12)
CAPEC Content TeamThe MITRE Corporation
Updated References, Related_Weaknesses
(Version 3.3)
CAPEC Content TeamThe MITRE Corporation
Updated Mitigations
(Version 3.4)
CAPEC Content TeamThe MITRE Corporation
Updated Mitigations
More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018