{"id":477613,"date":"2023-08-09T09:18:01","date_gmt":"2023-08-09T09:18:01","guid":{"rendered":""},"modified":"2023-09-05T11:15:06","modified_gmt":"2023-09-05T11:15:06","slug":"insecure-deserialization","status":"publish","type":"wiki","link":"https:\/\/oneproxy.pro\/vn\/wiki\/insecure-deserialization\/","title":{"rendered":"Qu\u00e1 tr\u00ecnh kh\u1eed l\u01b0u hu\u1ef3nh kh\u00f4ng an to\u00e0n"},"content":{"rendered":"<p>Qu\u00e1 tr\u00ecnh kh\u1eed tu\u1ea7n t\u1ef1 h\u00f3a kh\u00f4ng an to\u00e0n l\u00e0 m\u1ed9t l\u1ed7 h\u1ed5ng t\u1ed3n t\u1ea1i trong c\u00e1c \u1ee9ng d\u1ee5ng web, cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng thao t\u00fang d\u1eef li\u1ec7u v\u00e0 c\u00f3 kh\u1ea3 n\u0103ng th\u1ef1c thi m\u00e3 t\u00f9y \u00fd b\u1eb1ng c\u00e1ch khai th\u00e1c qu\u00e1 tr\u00ecnh kh\u1eed tu\u1ea7n t\u1ef1 h\u00f3a. L\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt n\u00e0y ph\u00e1t sinh khi m\u1ed9t \u1ee9ng d\u1ee5ng chuy\u1ec3n \u0111\u1ed5i m\u1ed9t c\u00e1ch m\u00f9 qu\u00e1ng d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c tu\u1ea7n t\u1ef1 h\u00f3a th\u00e0nh \u0111\u1ed1i t\u01b0\u1ee3ng m\u00e0 kh\u00f4ng c\u00f3 x\u00e1c th\u1ef1c th\u00edch h\u1ee3p, d\u1eabn \u0111\u1ebfn h\u1eadu qu\u1ea3 nghi\u00eam tr\u1ecdng, ch\u1eb3ng h\u1ea1n nh\u01b0 truy c\u1eadp tr\u00e1i ph\u00e9p, gi\u1ea3 m\u1ea1o d\u1eef li\u1ec7u v\u00e0 th\u1ef1c thi m\u00e3 t\u1eeb xa.<\/p>\n<h2>L\u1ecbch s\u1eed v\u1ec1 ngu\u1ed3n g\u1ed1c c\u1ee7a qu\u00e1 tr\u00ecnh Deserialization kh\u00f4ng an to\u00e0n v\u00e0 l\u1ea7n \u0111\u1ea7u ti\u00ean \u0111\u1ec1 c\u1eadp \u0111\u1ebfn n\u00f3<\/h2>\n<p>Kh\u00e1i ni\u1ec7m tu\u1ea7n t\u1ef1 h\u00f3a c\u00f3 t\u1eeb nh\u1eefng ng\u00e0y \u0111\u1ea7u c\u1ee7a m\u00e1y t\u00ednh khi c\u00e1c nh\u00e0 ph\u00e1t tri\u1ec3n c\u1ea7n m\u1ed9t c\u00e1ch \u0111\u1ec3 l\u01b0u tr\u1eef v\u00e0 truy\u1ec1n d\u1eef li\u1ec7u hi\u1ec7u qu\u1ea3. L\u1ea7n \u0111\u1ea7u ti\u00ean \u0111\u1ec1 c\u1eadp \u0111\u1ebfn qu\u00e1 tr\u00ecnh kh\u1eed tu\u1ea7n t\u1ef1 h\u00f3a kh\u00f4ng an to\u00e0n nh\u01b0 m\u1ed9t m\u1ed1i lo ng\u1ea1i v\u1ec1 b\u1ea3o m\u1eadt c\u00f3 th\u1ec3 b\u1eaft ngu\u1ed3n t\u1eeb b\u00e0i tr\u00ecnh b\u00e0y c\u1ee7a Philippe Delteil v\u00e0 Stefano Di Paola t\u1ea1i h\u1ed9i ngh\u1ecb OWASP AppSec n\u0103m 2006. H\u1ecd nh\u1ea5n m\u1ea1nh nh\u1eefng r\u1ee7i ro li\u00ean quan \u0111\u1ebfn c\u00e1c l\u1ed7 h\u1ed5ng kh\u1eed tu\u1ea7n t\u1ef1 h\u00f3a, m\u1edf \u0111\u01b0\u1eddng cho nghi\u00ean c\u1ee9u v\u00e0 nh\u1eadn th\u1ee9c s\u00e2u h\u01a1n v\u1ec1 c\u1ed9ng \u0111\u1ed3ng an ninh.<\/p>\n<h2>Th\u00f4ng tin chi ti\u1ebft v\u1ec1 qu\u00e1 tr\u00ecnh Deserialization kh\u00f4ng an to\u00e0n<\/h2>\n<p>Qu\u00e1 tr\u00ecnh kh\u1eed tu\u1ea7n t\u1ef1 h\u00f3a kh\u00f4ng an to\u00e0n x\u1ea3y ra khi m\u1ed9t \u1ee9ng d\u1ee5ng l\u1ea5y d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c tu\u1ea7n t\u1ef1 h\u00f3a, th\u01b0\u1eddng \u1edf c\u00e1c \u0111\u1ecbnh d\u1ea1ng nh\u01b0 JSON, XML ho\u1eb7c tu\u1ea7n t\u1ef1 h\u00f3a g\u1ed1c c\u1ee7a PHP v\u00e0 chuy\u1ec3n \u0111\u1ed5i d\u1eef li\u1ec7u \u0111\u00f3 tr\u1edf l\u1ea1i th\u00e0nh c\u00e1c \u0111\u1ed1i t\u01b0\u1ee3ng ho\u1eb7c c\u1ea5u tr\u00fac d\u1eef li\u1ec7u. Nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 khai th\u00e1c qu\u00e1 tr\u00ecnh n\u00e0y b\u1eb1ng c\u00e1ch t\u1ea1o ra d\u1eef li\u1ec7u tu\u1ea7n t\u1ef1 b\u1ecb thao t\u00fang \u0111\u1ed9c h\u1ea1i \u0111\u1ec3 \u0111\u00e1nh l\u1eeba \u1ee9ng d\u1ee5ng th\u1ef1c thi m\u00e3 t\u00f9y \u00fd.<\/p>\n<p>Trong qu\u00e1 tr\u00ecnh gi\u1ea3i tu\u1ea7n t\u1ef1 h\u00f3a, \u1ee9ng d\u1ee5ng th\u01b0\u1eddng x\u00e2y d\u1ef1ng l\u1ea1i c\u00e1c \u0111\u1ed1i t\u01b0\u1ee3ng t\u1eeb d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c tu\u1ea7n t\u1ef1 h\u00f3a b\u1eb1ng c\u00e1ch g\u1ecdi c\u00e1c h\u00e0m t\u1ea1o l\u1edbp ho\u1eb7c ph\u01b0\u01a1ng th\u1ee9c xu\u1ea5t x\u01b0\u1edfng t\u01b0\u01a1ng \u1ee9ng. V\u1ea5n \u0111\u1ec1 ch\u00ednh n\u1eb1m \u1edf vi\u1ec7c thi\u1ebfu x\u00e1c th\u1ef1c \u0111\u1ea7u v\u00e0o th\u00edch h\u1ee3p v\u00e0 ki\u1ec3m tra b\u1ea3o m\u1eadt kh\u00f4ng \u0111\u1ea7y \u0111\u1ee7 trong qu\u00e1 tr\u00ecnh n\u00e0y. Nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 gi\u1ea3 m\u1ea1o d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c tu\u1ea7n t\u1ef1 h\u00f3a, ch\u00e8n c\u00e1c t\u1ea3i tr\u1ecdng c\u00f3 h\u1ea1i ho\u1eb7c s\u1eeda \u0111\u1ed5i c\u00e1c thu\u1ed9c t\u00ednh c\u1ee7a \u0111\u1ed1i t\u01b0\u1ee3ng, d\u1eabn \u0111\u1ebfn h\u00e0nh vi ngo\u00e0i \u00fd mu\u1ed1n ho\u1eb7c th\u1eadm ch\u00ed l\u00e0m t\u1ed5n h\u1ea1i to\u00e0n b\u1ed9 \u1ee9ng d\u1ee5ng.<\/p>\n<h2>C\u1ea5u tr\u00fac b\u00ean trong c\u1ee7a qu\u00e1 tr\u00ecnh Deserialization kh\u00f4ng an to\u00e0n v\u00e0 c\u00e1ch th\u1ee9c ho\u1ea1t \u0111\u1ed9ng c\u1ee7a n\u00f3<\/h2>\n<p>C\u00e1c l\u1ed7 h\u1ed5ng deserialization kh\u00f4ng an to\u00e0n xu\u1ea5t ph\u00e1t t\u1eeb c\u00e1ch x\u1eed l\u00fd d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c tu\u1ea7n t\u1ef1 h\u00f3a. C\u00e1c b\u01b0\u1edbc sau \u0111\u00e2y minh h\u1ecda c\u00e1ch th\u1ee9c ho\u1ea1t \u0111\u1ed9ng c\u1ee7a n\u00f3:<\/p>\n<ol>\n<li>\n<p>Tu\u1ea7n t\u1ef1 h\u00f3a: \u1ee8ng d\u1ee5ng chuy\u1ec3n \u0111\u1ed5i c\u00e1c \u0111\u1ed1i t\u01b0\u1ee3ng ho\u1eb7c c\u1ea5u tr\u00fac d\u1eef li\u1ec7u th\u00e0nh \u0111\u1ecbnh d\u1ea1ng \u0111\u01b0\u1ee3c tu\u1ea7n t\u1ef1 h\u00f3a (v\u00ed d\u1ee5: JSON ho\u1eb7c XML) \u0111\u1ec3 t\u1ea1o \u0111i\u1ec1u ki\u1ec7n thu\u1eadn l\u1ee3i cho vi\u1ec7c l\u01b0u tr\u1eef ho\u1eb7c truy\u1ec1n t\u1ea3i.<\/p>\n<\/li>\n<li>\n<p>Deserialization: \u1ee8ng d\u1ee5ng l\u1ea5y d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c tu\u1ea7n t\u1ef1 h\u00f3a v\u00e0 x\u00e2y d\u1ef1ng l\u1ea1i c\u00e1c \u0111\u1ed1i t\u01b0\u1ee3ng ho\u1eb7c c\u1ea5u tr\u00fac d\u1eef li\u1ec7u ban \u0111\u1ea7u.<\/p>\n<\/li>\n<li>\n<p>Thi\u1ebfu x\u00e1c th\u1ef1c: Qu\u00e1 tr\u00ecnh kh\u1eed tu\u1ea7n t\u1ef1 kh\u00f4ng an to\u00e0n ph\u00e1t sinh khi \u1ee9ng d\u1ee5ng kh\u00f4ng x\u00e1c th\u1ef1c \u0111\u01b0\u1ee3c d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c tu\u1ea7n t\u1ef1 h\u00f3a \u0111\u1ebfn, gi\u1ea3 s\u1eed r\u1eb1ng d\u1eef li\u1ec7u \u0111\u00f3 lu\u00f4n \u0111\u1ebfn t\u1eeb c\u00e1c ngu\u1ed3n \u0111\u00e1ng tin c\u1eady.<\/p>\n<\/li>\n<li>\n<p>T\u1ea3i tr\u1ecdng \u0111\u1ed9c h\u1ea1i: Nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng c\u1ea9n th\u1eadn t\u1ea1o ra d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c tu\u1ea7n t\u1ef1 h\u00f3a b\u1ecb thao t\u00fang, nh\u00fang m\u00e3 \u0111\u1ed9c h\u1ea1i ho\u1eb7c s\u1eeda \u0111\u1ed5i c\u00e1c thu\u1ed9c t\u00ednh c\u1ee7a \u0111\u1ed1i t\u01b0\u1ee3ng \u0111\u01b0\u1ee3c tu\u1ea7n t\u1ef1 h\u00f3a.<\/p>\n<\/li>\n<li>\n<p>Th\u1ef1c thi m\u00e3: Khi d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c tu\u1ea7n t\u1ef1 h\u00f3a b\u1ecb thao t\u00fang \u0111\u01b0\u1ee3c gi\u1ea3i tu\u1ea7n t\u1ef1 h\u00f3a, \u1ee9ng d\u1ee5ng s\u1ebd v\u00f4 t\u00ecnh th\u1ef1c thi m\u00e3 \u0111\u1ed9c, d\u1eabn \u0111\u1ebfn kh\u1ea3 n\u0103ng b\u1ecb khai th\u00e1c.<\/p>\n<\/li>\n<\/ol>\n<h2>Ph\u00e2n t\u00edch c\u00e1c t\u00ednh n\u0103ng ch\u00ednh c\u1ee7a qu\u00e1 tr\u00ecnh Deserialization kh\u00f4ng an to\u00e0n<\/h2>\n<p>C\u00e1c \u0111\u1eb7c \u0111i\u1ec3m ch\u00ednh c\u1ee7a qu\u00e1 tr\u00ecnh kh\u1eed l\u01b0u hu\u1ef3nh kh\u00f4ng an to\u00e0n c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c t\u00f3m t\u1eaft nh\u01b0 sau:<\/p>\n<ul>\n<li>\n<p><strong>Khai th\u00e1c d\u1ec5 d\u00e0ng<\/strong>: Qu\u00e1 tr\u00ecnh kh\u1eed l\u01b0u hu\u1ef3nh kh\u00f4ng an to\u00e0n t\u01b0\u01a1ng \u0111\u1ed1i d\u1ec5 khai th\u00e1c, khi\u1ebfn n\u00f3 tr\u1edf th\u00e0nh m\u1ee5c ti\u00eau ph\u1ed5 bi\u1ebfn c\u1ee7a nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng.<\/p>\n<\/li>\n<li>\n<p><strong>T\u1ea5n c\u00f4ng l\u00e9n l\u00fat<\/strong>: V\u00ec c\u00e1c l\u1ed7 h\u1ed5ng kh\u1eed l\u01b0u hu\u1ef3nh kh\u00f4ng y\u00eau c\u1ea7u t\u1ea3i l\u00ean t\u1ec7p ho\u1eb7c ch\u00e8n m\u00e3 tr\u1ef1c ti\u1ebfp n\u00ean k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 ho\u1ea1t \u0111\u1ed9ng b\u00ed m\u1eadt, tr\u1ed1n tr\u00e1nh c\u00e1c bi\u1ec7n ph\u00e1p b\u1ea3o m\u1eadt truy\u1ec1n th\u1ed1ng.<\/p>\n<\/li>\n<li>\n<p><strong>H\u1eadu qu\u1ea3 c\u00f3 \u1ea3nh h\u01b0\u1edfng<\/strong>: C\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng th\u00e0nh c\u00f4ng c\u00f3 th\u1ec3 d\u1eabn \u0111\u1ebfn truy c\u1eadp tr\u00e1i ph\u00e9p, gi\u1ea3 m\u1ea1o d\u1eef li\u1ec7u ho\u1eb7c th\u1ef1c thi m\u00e3 t\u1eeb xa, c\u00f3 kh\u1ea3 n\u0103ng d\u1eabn \u0111\u1ebfn x\u00e2m ph\u1ea1m to\u00e0n b\u1ed9 h\u1ec7 th\u1ed1ng.<\/p>\n<\/li>\n<li>\n<p><strong>T\u1ea3i tr\u1ecdng kh\u00f4ng th\u1ec3 \u0111o\u00e1n tr\u01b0\u1edbc<\/strong>: K\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 x\u00e2y d\u1ef1ng c\u00e1c t\u1ea3i tr\u1ecdng t\u00f9y ch\u1ec9nh \u0111\u1ec3 khai th\u00e1c \u1ee9ng d\u1ee5ng theo nh\u1eefng c\u00e1ch \u0111\u1ed9c \u0111\u00e1o v\u00e0 b\u1ea5t ng\u1edd.<\/p>\n<\/li>\n<\/ul>\n<h2>C\u00e1c lo\u1ea1i kh\u1eed l\u01b0u hu\u1ef3nh kh\u00f4ng an to\u00e0n<\/h2>\n<p>C\u00e1c l\u1ed7 h\u1ed5ng kh\u1eed tu\u1ea7n t\u1ef1 kh\u00f4ng an to\u00e0n c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c ph\u00e2n lo\u1ea1i th\u00e0nh c\u00e1c lo\u1ea1i kh\u00e1c nhau d\u1ef1a tr\u00ean vect\u01a1 t\u1ea5n c\u00f4ng c\u1ee5 th\u1ec3 ho\u1eb7c ng\u00f4n ng\u1eef l\u1eadp tr\u00ecnh \u0111ang \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng. D\u01b0\u1edbi \u0111\u00e2y l\u00e0 m\u1ed9t s\u1ed1 lo\u1ea1i ph\u1ed5 bi\u1ebfn:<\/p>\n<table>\n<thead>\n<tr>\n<th>Ki\u1ec3u<\/th>\n<th>S\u1ef1 mi\u00eau t\u1ea3<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Th\u1ef1c thi m\u00e3 t\u1eeb xa<\/td>\n<td>Nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng th\u1ef1c thi m\u00e3 t\u00f9y \u00fd tr\u00ean m\u00e1y ch\u1ee7, gi\u00e0nh quy\u1ec1n truy c\u1eadp v\u00e0 ki\u1ec3m so\u00e1t tr\u00e1i ph\u00e9p h\u1ec7 th\u1ed1ng.<\/td>\n<\/tr>\n<tr>\n<td>Ti\u00eam \u0111\u1ed1i t\u01b0\u1ee3ng<\/td>\n<td>C\u00e1c \u0111\u1ed1i t\u01b0\u1ee3ng \u0111\u1ed9c h\u1ea1i \u0111\u01b0\u1ee3c \u0111\u01b0a v\u00e0o \u1ee9ng d\u1ee5ng, c\u00f3 kh\u1ea3 n\u0103ng d\u1eabn \u0111\u1ebfn thao t\u00fang ho\u1eb7c r\u00f2 r\u1ec9 d\u1eef li\u1ec7u.<\/td>\n<\/tr>\n<tr>\n<td>T\u1eeb ch\u1ed1i d\u1ecbch v\u1ee5<\/td>\n<td>D\u1eef li\u1ec7u \u0111\u01b0\u1ee3c tu\u1ea7n t\u1ef1 h\u00f3a th\u1ee7 c\u00f4ng khi\u1ebfn \u1ee9ng d\u1ee5ng ti\u00eau t\u1ed1n qu\u00e1 nhi\u1ec1u t\u00e0i nguy\u00ean, d\u1eabn \u0111\u1ebfn t\u1ea5n c\u00f4ng DoS.<\/td>\n<\/tr>\n<tr>\n<td>Lo\u1ea1i nh\u1ea7m l\u1eabn<\/td>\n<td>Nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng khai th\u00e1c c\u00e1c l\u1ed7i x\u1eed l\u00fd d\u1ef1a tr\u00ean lo\u1ea1i trong qu\u00e1 tr\u00ecnh gi\u1ea3i tu\u1ea7n t\u1ef1 h\u00f3a \u0111\u1ec3 x\u00e2m ph\u1ea1m h\u1ec7 th\u1ed1ng.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>C\u00e1c c\u00e1ch s\u1eed d\u1ee5ng Qu\u00e1 tr\u00ecnh kh\u1eed tu\u1ea7n t\u1ef1 kh\u00f4ng an to\u00e0n, c\u00e1c v\u1ea5n \u0111\u1ec1 v\u00e0 gi\u1ea3i ph\u00e1p<\/h2>\n<h3>C\u00e1c c\u00e1ch s\u1eed d\u1ee5ng Qu\u00e1 tr\u00ecnh kh\u1eed l\u01b0u hu\u1ef3nh kh\u00f4ng an to\u00e0n:<\/h3>\n<ul>\n<li>\n<p><strong>Gi\u1ea3 m\u1ea1o d\u1eef li\u1ec7u<\/strong>: K\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 s\u1eeda \u0111\u1ed5i d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c tu\u1ea7n t\u1ef1 h\u00f3a \u0111\u1ec3 gi\u1ea3 m\u1ea1o logic \u1ee9ng d\u1ee5ng v\u00e0 s\u1eeda \u0111\u1ed5i th\u00f4ng tin nh\u1ea1y c\u1ea3m.<\/p>\n<\/li>\n<li>\n<p><strong>Gi\u1ea3 m\u1ea1o danh t\u00ednh<\/strong>: D\u1eef li\u1ec7u \u0111\u01b0\u1ee3c tu\u1ea7n t\u1ef1 h\u00f3a c\u00f3 th\u1ec3 b\u1ecb thao t\u00fang \u0111\u1ec3 gi\u1ea3 m\u1ea1o danh t\u00ednh ng\u01b0\u1eddi d\u00f9ng, b\u1ecf qua c\u00e1c c\u01a1 ch\u1ebf x\u00e1c th\u1ef1c.<\/p>\n<\/li>\n<li>\n<p><strong>Th\u1ef1c thi l\u1ec7nh<\/strong>: M\u00e3 \u0111\u1ed9c h\u1ea1i c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c \u0111\u01b0a v\u00e0o d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c tu\u1ea7n t\u1ef1 h\u00f3a, d\u1eabn \u0111\u1ebfn vi\u1ec7c th\u1ef1c thi m\u00e3 t\u1eeb xa.<\/p>\n<\/li>\n<\/ul>\n<h3>C\u00e1c v\u1ea5n \u0111\u1ec1 v\u00e0 gi\u1ea3i ph\u00e1p c\u1ee7a h\u1ecd:<\/h3>\n<ul>\n<li>\n<p><strong>X\u00e1c th\u1ef1c \u0111\u1ea7u v\u00e0o<\/strong>: Tri\u1ec3n khai x\u00e1c th\u1ef1c \u0111\u1ea7u v\u00e0o nghi\u00eam ng\u1eb7t \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o r\u1eb1ng ch\u1ec9 nh\u1eefng d\u1eef li\u1ec7u \u0111\u00e1ng tin c\u1eady v\u00e0 \u0111\u01b0\u1ee3c mong \u0111\u1ee3i m\u1edbi \u0111\u01b0\u1ee3c x\u1eed l\u00fd trong qu\u00e1 tr\u00ecnh kh\u1eed tu\u1ea7n t\u1ef1 h\u00f3a.<\/p>\n<\/li>\n<li>\n<p><strong>S\u1eed d\u1ee5ng th\u01b0 vi\u1ec7n \u0111\u00e1ng tin c\u1eady<\/strong>: S\u1eed d\u1ee5ng c\u00e1c th\u01b0 vi\u1ec7n gi\u1ea3i tu\u1ea7n t\u1ef1 h\u00f3a an to\u00e0n v\u00e0 \u0111\u01b0\u1ee3c thi\u1ebft l\u1eadp t\u1ed1t, cung c\u1ea5p c\u00e1c bi\u1ec7n ph\u00e1p b\u1ea3o v\u1ec7 t\u00edch h\u1ee3p ch\u1ed1ng l\u1ea1i c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng th\u00f4ng th\u01b0\u1eddng.<\/p>\n<\/li>\n<li>\n<p><strong>Danh s\u00e1ch tr\u1eafng<\/strong>: T\u1ea1o danh s\u00e1ch tr\u1eafng g\u1ed3m c\u00e1c l\u1edbp ho\u1eb7c ki\u1ec3u d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c ph\u00e9p trong qu\u00e1 tr\u00ecnh gi\u1ea3i tu\u1ea7n t\u1ef1 h\u00f3a \u0111\u1ec3 ng\u0103n ch\u1eb7n vi\u1ec7c kh\u1edfi t\u1ea1o c\u00e1c \u0111\u1ed1i t\u01b0\u1ee3ng kh\u00f4ng mong mu\u1ed1n.<\/p>\n<\/li>\n<li>\n<p><strong>H\u1ed9p c\u00e1t<\/strong>: Th\u1ef1c hi\u1ec7n qu\u00e1 tr\u00ecnh kh\u1eed l\u01b0u hu\u1ef3nh trong m\u00f4i tr\u01b0\u1eddng h\u1ed9p c\u00e1t \u0111\u1ec3 h\u1ea1n ch\u1ebf quy\u1ec1n truy c\u1eadp v\u00e0o c\u00e1c t\u00e0i nguy\u00ean quan tr\u1ecdng v\u00e0 ng\u0103n ch\u1eb7n c\u00e1c ho\u1ea1t \u0111\u1ed9ng tr\u00e1i ph\u00e9p.<\/p>\n<\/li>\n<\/ul>\n<h2>C\u00e1c \u0111\u1eb7c \u0111i\u1ec3m ch\u00ednh v\u00e0 so s\u00e1nh kh\u00e1c v\u1edbi c\u00e1c thu\u1eadt ng\u1eef t\u01b0\u01a1ng t\u1ef1<\/h2>\n<p>Qu\u00e1 tr\u00ecnh kh\u1eed tu\u1ea7n t\u1ef1 kh\u00f4ng an to\u00e0n c\u00f3 nh\u1eefng \u0111i\u1ec3m t\u01b0\u01a1ng \u0111\u1ed3ng v\u1edbi c\u00e1c l\u1ed7 h\u1ed5ng \u1ee9ng d\u1ee5ng web kh\u00e1c, nh\u01b0ng n\u00f3 c\u00f3 nh\u1eefng \u0111\u1eb7c \u0111i\u1ec3m \u0111\u1ed9c \u0111\u00e1o khi\u1ebfn n\u00f3 tr\u1edf n\u00ean kh\u00e1c bi\u1ec7t:<\/p>\n<ul>\n<li>\n<p><strong>T\u01b0\u01a1ng t\u1ef1 v\u1edbi M\u00e3 ti\u00eam<\/strong>: Qu\u00e1 tr\u00ecnh gi\u1ea3i tu\u1ea7n t\u1ef1 h\u00f3a kh\u00f4ng an to\u00e0n c\u00f3 m\u1ed9t s\u1ed1 \u0111i\u1ec3m t\u01b0\u01a1ng \u0111\u1ed3ng v\u1edbi c\u00e1c l\u1ed7 h\u1ed5ng ch\u00e8n m\u00e3, nh\u01b0ng n\u00f3 ho\u1ea1t \u0111\u1ed9ng trong b\u1ed1i c\u1ea3nh gi\u1ea3i tu\u1ea7n t\u1ef1 h\u00f3a, khi\u1ebfn n\u00f3 tr\u1edf n\u00ean kh\u00e1c bi\u1ec7t.<\/p>\n<\/li>\n<li>\n<p><strong>Kh\u00e1c v\u1edbi SQL Ti\u00eam<\/strong>: Trong khi t\u00ednh n\u0103ng ch\u00e8n SQL nh\u1eafm v\u00e0o c\u01a1 s\u1edf d\u1eef li\u1ec7u, qu\u00e1 tr\u00ecnh gi\u1ea3i tu\u1ea7n t\u1ef1 h\u00f3a kh\u00f4ng an to\u00e0n t\u1eadp trung v\u00e0o vi\u1ec7c thao t\u00e1c d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c tu\u1ea7n t\u1ef1 h\u00f3a.<\/p>\n<\/li>\n<li>\n<p><strong>Ph\u1ed5 bi\u1ebfn trong c\u00e1c \u1ee9ng d\u1ee5ng web<\/strong>: Qu\u00e1 tr\u00ecnh kh\u1eed tu\u1ea7n t\u1ef1 h\u00f3a kh\u00f4ng an to\u00e0n ph\u1ed5 bi\u1ebfn h\u01a1n trong c\u00e1c \u1ee9ng d\u1ee5ng web x\u1eed l\u00fd d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c tu\u1ea7n t\u1ef1 h\u00f3a t\u1eeb \u0111\u1ea7u v\u00e0o c\u1ee7a ng\u01b0\u1eddi d\u00f9ng ho\u1eb7c API b\u00ean ngo\u00e0i.<\/p>\n<\/li>\n<\/ul>\n<h2>C\u00e1c quan \u0111i\u1ec3m v\u00e0 c\u00f4ng ngh\u1ec7 c\u1ee7a t\u01b0\u01a1ng lai li\u00ean quan \u0111\u1ebfn qu\u00e1 tr\u00ecnh Deserialization kh\u00f4ng an to\u00e0n<\/h2>\n<p>Khi l\u0129nh v\u1ef1c b\u1ea3o m\u1eadt \u1ee9ng d\u1ee5ng web ti\u1ebfp t\u1ee5c ph\u00e1t tri\u1ec3n, nh\u1eefng ti\u1ebfn b\u1ed9 trong th\u01b0 vi\u1ec7n tu\u1ea7n t\u1ef1 h\u00f3a v\u00e0 gi\u1ea3i tu\u1ea7n t\u1ef1 h\u00f3a an to\u00e0n \u0111\u01b0\u1ee3c mong \u0111\u1ee3i. C\u00e1c nh\u00e0 ph\u00e1t tri\u1ec3n s\u1ebd ng\u00e0y c\u00e0ng \u01b0u ti\u00ean x\u00e1c th\u1ef1c \u0111\u1ea7u v\u00e0o v\u00e0 c\u00e1c k\u1ef9 thu\u1eadt kh\u1eed tu\u1ea7n t\u1ef1 h\u00f3a an to\u00e0n h\u01a1n. Ngo\u00e0i ra, c\u00e1c c\u00f4ng c\u1ee5 b\u1ea3o m\u1eadt t\u1ef1 \u0111\u1ed9ng s\u1ebd ti\u1ebfp t\u1ee5c c\u1ea3i thi\u1ec7n kh\u1ea3 n\u0103ng ph\u00e1t hi\u1ec7n v\u00e0 gi\u1ea3m thi\u1ec3u c\u00e1c l\u1ed7 h\u1ed5ng kh\u1eed tu\u1ea7n t\u1ef1 h\u00f3a kh\u00f4ng an to\u00e0n.<\/p>\n<h2>C\u00e1ch s\u1eed d\u1ee5ng ho\u1eb7c li\u00ean k\u1ebft m\u00e1y ch\u1ee7 proxy v\u1edbi qu\u00e1 tr\u00ecnh Deserialization kh\u00f4ng an to\u00e0n<\/h2>\n<p>M\u00e1y ch\u1ee7 proxy \u0111\u00f3ng m\u1ed9t vai tr\u00f2 quan tr\u1ecdng trong b\u1ea3o m\u1eadt web b\u1eb1ng c\u00e1ch ch\u1eb7n v\u00e0 l\u1ecdc l\u01b0u l\u01b0\u1ee3ng gi\u1eefa m\u00e1y kh\u00e1ch v\u00e0 m\u00e1y ch\u1ee7. Ch\u00fang c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 ph\u00e1t hi\u1ec7n v\u00e0 ch\u1eb7n c\u00e1c y\u00eau c\u1ea7u \u0111\u1ed9c h\u1ea1i c\u00f3 ch\u1ee9a d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c tu\u1ea7n t\u1ef1 h\u00f3a b\u1ecb thao t\u00fang, t\u1eeb \u0111\u00f3 cung c\u1ea5p th\u00eam m\u1ed9t l\u1edbp b\u1ea3o v\u1ec7 ch\u1ed1ng l\u1ea1i c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng gi\u1ea3i tu\u1ea7n t\u1ef1 h\u00f3a kh\u00f4ng an to\u00e0n.<\/p>\n<h2>Li\u00ean k\u1ebft li\u00ean quan<\/h2>\n<p>\u0110\u1ec3 bi\u1ebft th\u00eam th\u00f4ng tin v\u1ec1 qu\u00e1 tr\u00ecnh kh\u1eed tu\u1ea7n t\u1ef1 h\u00f3a kh\u00f4ng an to\u00e0n v\u00e0 b\u1ea3o m\u1eadt \u1ee9ng d\u1ee5ng web, h\u00e3y xem x\u00e9t kh\u00e1m ph\u00e1 c\u00e1c t\u00e0i nguy\u00ean sau:<\/p>\n<ul>\n<li><a href=\"https:\/\/owasp.org\/www-project-cheat-sheets\/cheatsheets\/Deserialization_Cheat_Sheet\" target=\"_new\" rel=\"noopener nofollow\">B\u1ea3ng cheat kh\u1eed l\u01b0u hu\u1ef3nh OWASP<\/a><\/li>\n<li><a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-53\/rev-5\/draft\" target=\"_new\" rel=\"noopener nofollow\">H\u01b0\u1edbng d\u1eabn b\u1ea3o m\u1eadt \u1ee9ng d\u1ee5ng NIST<\/a><\/li>\n<li><a href=\"https:\/\/www.sans.org\/security-awareness-training\/sans-security-awareness-blog\/what-is-insecure-deserialization-and-how-to-avoid-it\" target=\"_new\" rel=\"noopener nofollow\">M\u00e3 h\u00f3a an to\u00e0n SANS<\/a><\/li>\n<\/ul>\n<p>T\u00f3m l\u1ea1i, hi\u1ec3u r\u00f5 v\u1ec1 qu\u00e1 tr\u00ecnh kh\u1eed tu\u1ea7n t\u1ef1 kh\u00f4ng an to\u00e0n l\u00e0 \u0111i\u1ec1u quan tr\u1ecdng \u0111\u1ed1i v\u1edbi c\u00e1c nh\u00e0 ph\u00e1t tri\u1ec3n, chuy\u00ean gia b\u1ea3o m\u1eadt v\u00e0 doanh nghi\u1ec7p \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o t\u00ednh an to\u00e0n v\u00e0 t\u00ednh to\u00e0n v\u1eb9n c\u1ee7a c\u00e1c \u1ee9ng d\u1ee5ng web. B\u1eb1ng c\u00e1ch tri\u1ec3n khai c\u00e1c ph\u01b0\u01a1ng ph\u00e1p hay nh\u1ea5t, s\u1eed d\u1ee5ng th\u01b0 vi\u1ec7n b\u1ea3o m\u1eadt v\u00e0 lu\u00f4n c\u1ea3nh gi\u00e1c tr\u01b0\u1edbc c\u00e1c m\u1ed1i \u0111e d\u1ecda m\u1edbi n\u1ed5i, ch\u00fang t\u00f4i c\u00f3 th\u1ec3 c\u1ee7ng c\u1ed1 h\u1ec7 th\u1ed1ng c\u1ee7a m\u00ecnh tr\u01b0\u1edbc c\u00e1c ho\u1ea1t \u0111\u1ed9ng khai th\u00e1c ti\u1ec1m \u1ea9n v\u00e0 b\u1ea3o v\u1ec7 d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m kh\u1ecfi b\u1ecb truy c\u1eadp v\u00e0 thao t\u00fang tr\u00e1i ph\u00e9p.<\/p>","protected":false},"featured_media":477614,"menu_order":0,"template":"","meta":{"_acf_changed":false,"content-type":"","inline_featured_image":false,"footnotes":""},"class_list":["post-477613","wiki","type-wiki","status-publish","has-post-thumbnail","hentry"],"acf":{"faq_title":"Frequently Asked Questions about <mark>Insecure Deserialization: Understanding the Risks and Solutions<\/mark>","faq_items":[{"question":"What is Insecure Deserialization?","answer":"<p>Insecure deserialization is a vulnerability found in web applications where serialized data is converted back into objects without proper validation. Attackers can exploit this flaw to manipulate data and potentially execute malicious code, leading to unauthorized access or system compromise.<\/p>"},{"question":"How did Insecure Deserialization come into existence?","answer":"<p>The concept of serialization has been used in computing for a long time, but the first mention of insecure deserialization as a security concern dates back to a presentation in 2006. Philippe Delteil and Stefano Di Paola highlighted the risks associated with deserialization vulnerabilities at the OWASP AppSec conference, sparking further research and awareness.<\/p>"},{"question":"How does Insecure Deserialization work?","answer":"<p>During the deserialization process, an application reconstructs objects from serialized data. Insecure deserialization arises due to the lack of proper validation. Attackers craft manipulated serialized data with harmful payloads or modified properties. When this data is deserialized, the application unknowingly executes the malicious code, leading to potential exploits.<\/p>"},{"question":"What are the key features of Insecure Deserialization?","answer":"<p>Insecure deserialization is relatively easy for attackers to exploit, and it allows them to execute code covertly. The consequences of successful attacks can be severe, leading to unauthorized access, data tampering, or even full system compromise. Attackers can also construct unpredictable payloads for exploitation.<\/p>"},{"question":"What are the types of Insecure Deserialization?","answer":"<p>Insecure deserialization vulnerabilities can be categorized into different types, including remote code execution, object injection, denial of service, and type confusion. Each type poses unique risks and challenges for developers and security professionals.<\/p>"},{"question":"How can Insecure Deserialization be used, and what are the solutions?","answer":"<p>Attackers can use insecure deserialization to tamper with data, forge identities, or execute commands. To mitigate these risks, developers should implement strict input validation, use trusted libraries, whitelist allowed classes, and execute deserialization in a sandboxed environment.<\/p>"},{"question":"How does Insecure Deserialization compare to other web vulnerabilities?","answer":"<p>Insecure deserialization is similar to code injection but operates within the context of deserialization. It differs from SQL injection, which targets databases. This vulnerability is more common in web applications dealing with serialized data from user input or external APIs.<\/p>"},{"question":"What are the future perspectives related to Insecure Deserialization?","answer":"<p>As web application security evolves, advancements in secure serialization and deserialization libraries are expected. Developers will prioritize input validation and safer deserialization techniques, while automated security tools will improve detection and mitigation.<\/p>"},{"question":"How can proxy servers be associated with Insecure Deserialization?","answer":"<p>Proxy servers play a crucial role in web security by intercepting and filtering traffic. They can help detect and block malicious requests containing manipulated serialized data, providing an additional layer of defense against insecure deserialization attacks.<\/p>"}]},"_links":{"self":[{"href":"https:\/\/oneproxy.pro\/vn\/wp-json\/wp\/v2\/wiki\/477613","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oneproxy.pro\/vn\/wp-json\/wp\/v2\/wiki"}],"about":[{"href":"https:\/\/oneproxy.pro\/vn\/wp-json\/wp\/v2\/types\/wiki"}],"version-history":[{"count":0,"href":"https:\/\/oneproxy.pro\/vn\/wp-json\/wp\/v2\/wiki\/477613\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/oneproxy.pro\/vn\/wp-json\/wp\/v2\/media\/477614"}],"wp:attachment":[{"href":"https:\/\/oneproxy.pro\/vn\/wp-json\/wp\/v2\/media?parent=477613"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}