Serialization VS Externalization | Serialization vulnerabilities | Code Decode

In this video of code decode we have explained Serialization vs externalization and serialization vulnerabilities.

Udemy Course of Code Decode on Microservice k8s AWS CICD link:
https://openinapp.co/udemycourse

Course Description Video :
https://yt.openinapp.co/dmjvd

What is a Java deserialize vulnerability
A Java deserialize vulnerability is a security vulnerability that occurs when a malicious user tries to insert a modified serialized object into the system in order to compromise the system or its data.

A serialized object in Java is a byte array with state information. If you look at a stored serialized object with a hex-editor, you can enclose and manipulate the information quickly.

Thus If an application accepts serialized objects, it is relatively easy to tamper with the values. By altering the serialized objects, we can create invalid objects, alter the data’s integrity, or worse.

How to prevent a Java deserialize vulnerability?
The best way to prevent a Java deserialize vulnerability is to prevent Java serialization overall. If your application doesn’t accept serialized objects, it can’t hurt you.

However, if you do need to implement the `serializable` interface due to inheritance, you can override the readObject(), as seen below, to prevent actual deserialization.

private final void readObject(ObjectInputStream in) throws java.io.IOException {
throw new java.io.IOException("Deserialized not allowed");
}

Do Not Accept Serialized Objects from Untrusted Sources
Keep your .ser file at secure location. keep it restricted and only authorized persons can access that file
Dont store passwords like sensitive info as serialization is prone to vulnerabilities.


What inheritance rules applies with Serialization Deserialization of child or parent class?
If the superclass is serializable, then subclass is automatically serializable.

if the superclass is Serializable, then by default, every subclass is serializable. Hence, even though subclass doesn’t implement Serializable interface( and if its superclass implements Serializable), then we can serialize subclass object.

If a superclass is not serializable, then subclass can still be serialized

Even though the superclass doesn’t implement a Serializable interface, we can serialize subclass objects if the subclass itself implements a Serializable interface. So we can say that to serialize subclass objects, superclass need not be serializable. But what happens with the instances of superclass during serialization in this case.



Most Asked Core Java Interview Questions and Answers :    • Core Java frequently asked Interview ...  

Advance Java Interview Questions and Answers :    • Advance Java Interview Questions  

Java 8 Interview Questions and Answers :    • Java 8 Interview Questions(New Features)  

Hibernate Interview Questions and Answers :    • Hibernate Interview Questions Java  

Spring Boot Interview Questions and Answers :    • Advance Java Interview Questions  

Angular Playlist :    • Angular Course Introduction || Angular 8  


SQL Playlist :    • SQL Interview Questions and Answers  

GIT :    • GIT  

Subscriber and Follow Code Decode
Subscriber Code Decode : https://www.youtube.com/c/CodeDecode?...
LinkedIn :   / codedecodeyoutube  
Instagram :   / codedecode25  

#singletondoublecheckedlocking #codedecode #javainterviewquestion