Describe a scenario where insecure deserialization could lead to a Remote Code Execution (RCE) vulnerability in a Node.js application. Explain how to prevent this vulnerability.
Node.js interview question for Advanced practice.
Answer
Scenario: A Node.js application uses a session cookie to store user information. To save space, it serializes a JavaScript object into the cookie. An older, vulnerable library is used for this serialization. An attacker intercepts their own cookie and modifies the serialized string. Vulnerable Payload: The attacker crafts a payload that, when deserialized, creates an Immediately Invoked Function Expression (IIFE). Some older or unsafe deserialization libraries can be tricked into executing functions found within the data. Example malicious serialized string (conceptual): '{"user":"guest","proto":{"isAdmin":true,"exec":"require(\"childprocess\").execSync(\"touch /tmp/pwned\")"}}' When the server deserializes this cookie on the next request, the malicious function is executed, creating a file on the server and demonstrating Remote Code Execution (RCE). Prevention: 1. Never Deserialize Untrusted Data: The most important rule. If you must accept serialized objects from a client, treat the data as tainted and validate it rigorously. 2. Use Safe Serialization Formats: Use simple, data-only formats like JSON (JSON.parse and JSON.stringify) which do not support functions or complex object types that could be abused. 3. Signature Verification: If using cookies for session data, always sign them with a strong secret key (e.g., using cookie-session or express-session). This prevents tampering, as any modification to the cookie will invalidate the signature.
Explanation
Insecure deserialization is often overlooked, but it can have severe consequences.