Add Testing for Deserialisation of Untrusted Data about wstg HOT 32 OPEN

Almost finished, need to put in some scan output results in the file. Had a couple of busy weeks but i expect to finish it soon for a first PR ^^

from wstg.

Hi Team, I am picking up the topic and working on it

Thank You
Vandana

from wstg.

@kingthorin, i am on it again!

from wstg.

@kingthorin, I will create the PR next week! :-)

from wstg.

@kingthorin hahaha will do, thanks! ^^

from wstg.

Thank you very much @RiieCco, I just wrote you on slack (hoping is the right person :) ).

from wstg.

Hi ,

I have delivered a workshop on this topic and would like to contribute in the testing guide by adding details on how to go about finding these issues in various languages like java,php,python,node..js and .NET

Please guide me as to how can i add the details

from wstg.

Hey @vermava,

How far did you get with writing test scenario's for this one?
I can maybe give some assistance here since we also already have labs for insecure
deserialization.

https://owasp-skf.gitbook.io/asvs-write-ups/kbid-xxx-deserialisation-yaml
https://owasp-skf.gitbook.io/asvs-write-ups/kbid-xxx-des-pickle-2

from wstg.

@RiieCco I tried tagging Verma on another issue. No replies. You can move forward with this 😄

from wstg.

@RiieCco are you going to be able to tackle this?

from wstg.

For serialization issue, there are blackbox and whitebox approaches.
Refer to the section I have done for the CheatSheet. Let me know any section I can help to add?
Deserialization_Cheat_Sheet.html

from wstg.

Looking at the CS, that CS should belong in this project. It's purely offensive.
@rbsec @kingthorin what are your thoughts on this?

from wstg.

It ends with some offensive references but the majority of the article is about Deserializing Safely (from my skim of the content).

As for white vs blackbox. Although code review is mentioned in the TG it isn't really "testing", so blackbox is probably more applicable (ex: ways you'd identify and exploit during a penetration test or leveraging DAST).

from wstg.

The black/white box review stuff doesn't really belong, but there's a load of defensive stuff for Java and .NET.

It could certainly do with a cleanup, but I think it still has a place the in the cheat sheets project.

from wstg.

Lovely. This is something we can look at. (Rick it's not porting the whole CS)

Getting data from that CS for the WSTG, and refreshing the focus and look of the Deserialization CS.

from wstg.

Sounds good 👍

from wstg.

1. "How to test for Deserialisation of Untrusted Data" Is there any existing section or it will be a new section?

2. agree that the whitebox review can't verify the deserialization results, it can only narrow the scope

from wstg.

This needs to be added. I am getting vibes of adding this to Business Logic Testing, as it's on an object level and how processing is going to handle the object. If not, we downgrade to Input Val Testing
@kingthorin let me know what you think.

from wstg.

To me it's an Input Validation issue. Business Logic is more specific for things like improper handling of pricing, rebates, HR processes, orders, manufacturing, etc.

from wstg.

I agree with @kingthorin this is more regarding about Input Validation since it's the abuse of unexpected inputs to perform an action not desired or authorized. Commonly the impact would be a Business Logic exploitation but that's not a must condition. For example you can have an XML bomb that would be part of the deserialization of untrusted Data and results in a DoS instead of the manipulation of the Business Logic.

from wstg.

Mhm, agreed. I had a discussion back then with @kingthorin and we agreed on it being in Input Validation.
@Hsiang-Chih to answer you (apologies), this will have to be a new section.

from wstg.

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

from wstg.

@vermava @RiieCco any news?

from wstg.

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

from wstg.

Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.

from wstg.

I am still working on this one, sadly i got a massive burn out after wanting to commit this.
I can send to anybody who wants to pick up on this what i already had written on the subject?

Otherwise i will commit in due time when i am getting back on track again :-)

from wstg.

No problem, thanks for the update. Whenever you get to it is great. Don’t let stale bot get to ya.

from wstg.

Hi everyone,
How far did you go in the project? I would like to continue your work if help is needed.
Thank you

from wstg.

@RiieCco Hello mate! :)
Would you be able to coordinate with @alex97saba to move the needle on this? Maybe provide write access on the branch and then open a draft PR. Let us know if we can help.

from wstg.

Hey @ThunderSon sure thing!

It has literally been 6months since i last touched a laptop so i will need to check things a bit.
@alex97saba thank you very much for helping out man! i will set up everything as soon as possible!
Also, can i find you on the OWASP slack channel for discussions etc? :-)

Cheers!

from wstg.

I am not sure @alex97saba is on slack, but there is a channel testing-guide if you need that :)

from wstg.

Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.

from wstg.