Java Serialization Detected
What is it?โ
Java Serialization seems to be in use. If the serialized data is not correctly validated, an attacker can send a specially crafted object that leads to dangerous โRemote Code Executionโ. A magic sequence identifying JSO has been detected (Base64: rO0AB, Raw: 0xac, 0xed, 0x00, 0x05).
Referencesโ
Test case FAQsโ
When is this test case applicable?โ
This is applicable for all API endpoints when the Baseline security category is enabled in test plans.
How does it work?โ
API requests and responses are analyzed for the presence of Java Serialization Objects (based on magic sequences that indicate the presence of JSOs).
What is the solution?โ
Deserialization of untrusted data is inherently dangerous and should be avoided. APIs should always validate the serialized data thoroughly before consumption.
Was this page helpful?