OWASP Serverless Top 10 #8: Insecure Deserialization

Dynamic languages like Python and NodeJS, together with the common use of JSON, a serialized data type, could make deserialization attacks a little more common in the serverless world.

Security Weakness and Impact

Together with the possible attack vector, the fact that most functions use 3rd-party libraries to handle the (de)serialization of the data could introduce such weakness to our serverless application. Deserialization vulnerabilities are pretty common in Python (e.g. pickle) and JavaScript (node-serialize). But could also be found in .NET and Java.

As usual, the business impact depends on the application and the data it handles. Insecure deserialization usually results in running arbitrary code that could eventually lead to data leakage and, in severe cases, even resource and account control.

How to Prevent

  • Validate serialized objects, originating from any untrusted data (e.g. cloud storage, databases, emails, notifications, APIs) by enforcing strict type constraints before processing it.
  • Review 3rd-party libraries for known deserialization vulnerabilities.
  • It is also a good practice to monitor deserialization usage and exceptions to identify possible attacks.

Serverless Top 10

Read more about the OWASP Serverless Top 10.