Proceedings of the Institute for System Programming of the RAS
RUS  ENG    JOURNALS   PEOPLE   ORGANISATIONS   CONFERENCES   SEMINARS   VIDEO LIBRARY   PACKAGE AMSBIB  
General information
Latest issue
Archive

Search papers
Search references

RSS
Latest issue
Current issues
Archive issues
What is RSS



Proceedings of ISP RAS:
Year:
Volume:
Issue:
Page:
Find






Personal entry:
Login:
Password:
Save password
Enter
Forgotten password?
Register


Proceedings of the Institute for System Programming of the RAS, 2023, Volume 35, Issue 1, Pages 223–236
DOI: https://doi.org/10.15514/ISPRAS-2023-35(1)-14
(Mi tisp764)
 

Research into occurrence of insecurely-serialized objects in client-side code of web-applications

D. D. Mironova, D. A. Sigalovab, M. P. Malkovab

a SolidSoft
b Lomonosov Moscow State University
Abstract: This paper studies the occurrence of insecure deserialization in communication between client-side code and the server-side of a web application. Special attention was paid to serialized objects sent from JavaScript client-side code. Specific patterns of using serialized objects within the client-side JavaScript code were identified and unique classes were formulated, whose main goal is to facilitate manual and automatic analysis of web applications. A tool that detects a serialized object in the client-side code of a web page has been designed and implemented. This tool is capable of finding encoded serialized objects as well as serialized objects encoded using several sequentially applied encodings. For found samples of serialized objects, the tool determines the context in which the found object appears on the page. For objects inside JavaScript code, the tool identifies the previously mentioned classes by mapping the vertices of the abstract syntax tree (AST) of the code. Web application endpoints were checked for whether programming objects were deserialized on the server side, after obtaining the results of the study. As a result of this check, previously unknown vulnerabilities were found, which were reported to the developers of this software. One of them was identified as CVE-2022-24108. Based on the results of this research, a method was proposed to facilitate both manual and automated searches for vulnerabilities of the "Deserialization of untrusted data". The proposed algorithm was tested on more than 50,000 web application pages from the Alexa Top 1M list, as well as on 20,000 web application pages from Bug Bounty programs.
Keywords: deserialization of untrusted data, web-applications, client-side code analysis, security analysis automation, vulnerabilities
Document Type: Article
Language: Russian
Citation: D. D. Mironov, D. A. Sigalov, M. P. Malkov, “Research into occurrence of insecurely-serialized objects in client-side code of web-applications”, Proceedings of ISP RAS, 35:1 (2023), 223–236
Citation in format AMSBIB
\Bibitem{MirSigMal23}
\by D.~D.~Mironov, D.~A.~Sigalov, M.~P.~Malkov
\paper Research into occurrence of insecurely-serialized objects in client-side code of web-applications
\jour Proceedings of ISP RAS
\yr 2023
\vol 35
\issue 1
\pages 223--236
\mathnet{http://mi.mathnet.ru/tisp764}
\crossref{https://doi.org/10.15514/ISPRAS-2023-35(1)-14}
Linking options:
  • https://www.mathnet.ru/eng/tisp764
  • https://www.mathnet.ru/eng/tisp/v35/i1/p223
  • Citing articles in Google Scholar: Russian citations, English citations
    Related articles in Google Scholar: Russian articles, English articles
    Proceedings of the Institute for System Programming of the RAS
    Statistics & downloads:
    Abstract page:55
    Full-text PDF :31
     
      Contact us:
     Terms of Use  Registration to the website  Logotypes © Steklov Mathematical Institute RAS, 2025