How to Check Object Serialization Files for Insecure Deserialization Threats using a Free API in PHP
Insecure deserialization can lead to a variety of severe cyber-attacks including Denial of Service, Remote Code Execution, and even SQL injection.
Thankfully, if we’re careful about how we verify object serialization file contents, we can identify insecure deserialization attacks before they reach vulnerable data parsers.
When we use a free API to handle verification, we don’t have to write or maintain a ton of code in the process of improving our object serialization security. We can simply copy and paste code to structure a low-code API call, allowing a reliable web service to handle the rest.
Using the below PHP code examples, we can take advantage of a free API that identifies several content threats — including insecure deserialization in object serialization files — and provides a custom threat parameter ($allow_insecure_deserialization) designed to block insecure deserialization threats. This API also performs a virus and malware scan for good measure, referencing file upload contents against a continuously updated list of more than 17 million virus and malware signatures.
To take advantage of this API, we can begin by installing the PHP client. Let’s execute the below command from our command line to install via Composer:
composer require cloudmersive/cloudmersive_virusscan_api_clientNext, let’s call the function using the below code examples. We can set our $allow_insecure_deserialization parameter to false to ensure insecure deserialization threats receive a “CleanResult”: false response (the same response assigned to files containing virus and malware signatures):
<?php
require_once(__DIR__ . '/vendor/autoload.php');
// Configure API key authorization: Apikey
$config = Swagger\Client\Configuration::getDefaultConfiguration()->setApiKey('Apikey', 'YOUR_API_KEY');
$apiInstance = new Swagger\Client\Api\ScanApi(
new GuzzleHttp\Client(),
$config
);
$input_file = "/path/to/inputfile"; // \SplFileObject | Input file to perform the operation on.
$allow_executables = true; // bool | Set to false to block executable files (program code) from being allowed in the input file. Default is false (recommended).
$allow_invalid_files = true; // bool | Set to false to block invalid files, such as a PDF file that is not really a valid PDF file, or a Word Document that is not a valid Word Document. Default is false (recommended).
$allow_scripts = true; // bool | Set to false to block script files, such as a PHP files, Python scripts, and other malicious content or security threats that can be embedded in the file. Set to true to allow these file types. Default is false (recommended).
$allow_password_protected_files = true; // bool | Set to false to block password protected and encrypted files, such as encrypted zip and rar files, and other files that seek to circumvent scanning through passwords. Set to true to allow these file types. Default is false (recommended).
$allow_macros = true; // bool | Set to false to block macros and other threats embedded in document files, such as Word, Excel and PowerPoint embedded Macros, and other files that contain embedded content threats. Set to true to allow these file types. Default is false (recommended).
$allow_xml_external_entities = true; // bool | Set to false to block XML External Entities and other threats embedded in XML files, and other files that contain embedded content threats. Set to true to allow these file types. Default is false (recommended).
$allow_insecure_deserialization = true; // bool | Set to false to block Insecure Deserialization and other threats embedded in JSON and other object serialization files, and other files that contain embedded content threats. Set to true to allow these file types. Default is false (recommended).
$allow_html = true; // bool | Set to false to block HTML input in the top level file; HTML can contain XSS, scripts, local file accesses and other threats. Set to true to allow these file types. Default is false (recommended) [for API keys created prior to the release of this feature default is true for backward compatability].
$restrict_file_types = "restrict_file_types_example"; // string | Specify a restricted set of file formats to allow as clean as a comma-separated list of file formats, such as .pdf,.docx,.png would allow only PDF, PNG and Word document files. All files must pass content verification against this list of file formats, if they do not, then the result will be returned as CleanResult=false. Set restrictFileTypes parameter to null or empty string to disable; default is disabled.
try {
$result = $apiInstance->scanFileAdvanced($input_file, $allow_executables, $allow_invalid_files, $allow_scripts, $allow_password_protected_files, $allow_macros, $allow_xml_external_entities, $allow_insecure_deserialization, $allow_html, $restrict_file_types);
print_r($result);
} catch (Exception $e) {
echo 'Exception when calling ScanApi->scanFileAdvanced: ', $e->getMessage(), PHP_EOL;
}
?>Before we start scanning files, we’ll just need to authorize our connection with a free Cloudmersive API key. This will allow us to make a limit of 800 API calls per month with zero commitments (once we reach our limit, our total will reset the following month).
Now we can easily identify threatening object serialization files and scan file contents for a wide range of additional threats using just a few lines of PHP code.
