Proposed Skill
Skill name: insecure-deserialization-review
Category: other
Severity: critical
What It Detects
Detects dangerous deserialization of untrusted data in languages and frameworks that allow object gadget execution, unexpected type materialization, or unsafe polymorphic binding.
Why This Skill Is Needed
The repo lacks a dedicated deserialization skill, yet this remains a high-impact class across web, API, and messaging systems. Existing secure-code-review guidance is too broad to drive specific tests or remediation here.
Detection Approach
Look for unsafe object deserializers, polymorphic type binding, trusted-by-default message queues, and missing allowlists for concrete types or schemas.
Languages / Frameworks
Example Vulnerable Code
ObjectInputStream ois = new ObjectInputStream(req.getInputStream());
Object obj = ois.readObject();
Example Remediation
Use schema-bound JSON/protobuf parsing with explicit type allowlists and reject unexpected class metadata or polymorphic type hints.
References
- CWE-502
- OWASP Deserialization Cheat Sheet
Estimated Complexity
Bounty Info
Proposed Skill
Skill name:
insecure-deserialization-reviewCategory: other
Severity: critical
What It Detects
Detects dangerous deserialization of untrusted data in languages and frameworks that allow object gadget execution, unexpected type materialization, or unsafe polymorphic binding.
Why This Skill Is Needed
The repo lacks a dedicated deserialization skill, yet this remains a high-impact class across web, API, and messaging systems. Existing secure-code-review guidance is too broad to drive specific tests or remediation here.
Detection Approach
Look for unsafe object deserializers, polymorphic type binding, trusted-by-default message queues, and missing allowlists for concrete types or schemas.
Languages / Frameworks
Example Vulnerable Code
Example Remediation
References
Estimated Complexity
Bounty Info