Mitigating OWASP Top 10 Risks: Finding and Patching Insecure Deserialization in legacy session handling in PHP
Understanding Insecure Deserialization in PHP Session Handling
Insecure deserialization, a critical vulnerability often found in the OWASP Top 10 (currently A08:2021 – Software and Data Integrity Failures), poses a significant threat, especially when it affects how applications manage user sessions. Legacy PHP applications frequently rely on built-in session handling mechanisms that serialize and deserialize session data. If this data is not properly validated or comes from an untrusted source, an attacker can craft malicious serialized objects that, upon deserialization, execute arbitrary code on the server. This is particularly dangerous in older PHP versions where unserialization functions might have had more permissive behaviors or where application logic didn’t adequately sanitize input before storing it in the session.
Identifying Vulnerable Session Handling Patterns
The core of the vulnerability lies in the default PHP session handler, `session.serialize_handler`, which typically uses `php` (or `php_serialize`) or `php_binary`. When `session.use_strict_mode` is not enabled, or when session data is not properly validated before being written, an attacker might be able to inject malicious serialized strings. A common pattern to look for is any code that directly manipulates session data without strict type checking or validation, especially if that data originates from user input or external sources.
Consider a scenario where session data is stored in a way that allows for direct manipulation or injection of serialized objects. This often happens when developers bypass standard session management for specific data points, or when custom session handlers are implemented insecurely.
Exploitation Vector: Crafting Malicious Serialized Objects
The exploitation of insecure deserialization in PHP session handling typically involves creating a PHP object with a “magic method” (like `__wakeup()`, `__destruct()`, or `__toString()`) that, when triggered by the PHP engine during deserialization, performs an unintended action. A common payload involves using functions like `system()`, `exec()`, `passthru()`, or `eval()` to execute arbitrary commands on the server. The attacker would then need a way to inject this malicious serialized string into the session data store.
Let’s illustrate with a simplified, conceptual example of a malicious class. In a real-world scenario, the attacker would need to find a class within the application’s codebase (or a known vulnerable class from a library) that can be leveraged for code execution. For demonstration, we’ll define a hypothetical vulnerable class:
Example Malicious Class (Conceptual)
<?php
class MaliciousCommandExecutor {
private $command;
public function __construct($cmd) {
$this->command = $cmd;
}
// This magic method is called when an object of this class is unserialized
public function __wakeup() {
// In a real attack, this would be a command that compromises the server
// For demonstration, we'll use a simple echo, but it could be system() or exec()
echo "Executing: " . $this->command . "\n";
// system($this->command); // The actual dangerous call
}
}
// Example of creating a malicious serialized string
$command_to_execute = "ls -la /"; // Example command
$malicious_object = new MaliciousCommandExecutor($command_to_execute);
$serialized_payload = serialize($malicious_object);
echo "Serialized Payload: " . $serialized_payload . "\n";
?>
The output of this script would be a string like:
Serialized Payload: O:21:"MaliciousCommandExecutor":1:{s:7:"command";s:12:"ls -la /";}
If this serialized string were to be injected into the session data and then later deserialized by the vulnerable PHP application, the `__wakeup()` method would be invoked, potentially executing the command.
Mitigation Strategy 1: Strict Session Data Validation
The most robust defense is to prevent untrusted data from being deserialized in the first place. This involves rigorous validation of any data that is stored in or retrieved from the session. If you are storing complex objects, ensure that their types are strictly enforced and that no unexpected properties are present. For session data, it’s often best to avoid storing complex, unserializable objects directly. Instead, store primitive types (strings, integers, booleans, arrays of primitives) and reconstruct objects in application logic as needed.
Implementing Type Checking and Whitelisting
When retrieving data from the session, always validate its type and structure. If you expect an array of strings, ensure it is indeed an array and that all its elements are strings. Use `is_array()`, `is_string()`, `ctype_digit()`, etc., extensively. A whitelisting approach for expected session data keys and types is far safer than blacklisting potentially malicious patterns.
Consider this example of safer session data retrieval:
<?php
session_start();
// Assume user_preferences might be stored in session
$user_preferences = $_SESSION['user_preferences'] ?? null;
$valid_preferences = [
'theme' => 'light',
'notifications' => true,
'language' => 'en'
];
$processed_preferences = [];
if (is_array($user_preferences)) {
foreach ($valid_preferences as $key => $defaultValue) {
if (array_key_exists($key, $user_preferences)) {
// Validate type based on expected default value
switch (gettype($defaultValue)) {
case 'string':
if (is_string($user_preferences[$key])) {
$processed_preferences[$key] = $user_preferences[$key];
} else {
// Log or handle invalid type for this key
$processed_preferences[$key] = $defaultValue; // Revert to default
}
break;
case 'boolean':
if (is_bool($user_preferences[$key])) {
$processed_preferences[$key] = $user_preferences[$key];
} else {
$processed_preferences[$key] = $defaultValue;
}
break;
case 'integer':
if (is_int($user_preferences[$key])) {
$processed_preferences[$key] = $user_preferences[$key];
} else {
$processed_preferences[$key] = $defaultValue;
}
break;
// Add more types as needed
default:
// If we don't know how to validate, use default
$processed_preferences[$key] = $defaultValue;
break;
}
} else {
// Key not found, use default
$processed_preferences[$key] = $defaultValue;
}
}
} else {
// Session data for user_preferences is not an array or not set, use defaults
$processed_preferences = $valid_preferences;
}
// Now use $processed_preferences, which is guaranteed to be in a safe format
// For example:
echo "Theme: " . htmlspecialchars($processed_preferences['theme']) . "\n";
echo "Notifications enabled: " . ($processed_preferences['notifications'] ? 'Yes' : 'No') . "\n";
?>
Mitigation Strategy 2: Disabling Unsafe PHP Functions
In older PHP versions, functions like `unserialize()` were more prone to abuse. While `unserialize()` itself is not inherently insecure if used with trusted data, its interaction with magic methods makes it a vector. If your application logic *must* deserialize data, ensure it’s from a trusted source. However, a more drastic but effective measure for legacy systems is to disable or restrict the use of functions that can lead to code execution, especially if they are not strictly necessary for the application’s core functionality.
Using `disable_functions` in `php.ini`
The `disable_functions` directive in `php.ini` allows you to disallow the execution of certain PHP functions. This is a server-wide setting and should be applied with caution, as it can break legitimate application functionality if not carefully managed. For session handling, if you are not explicitly using `unserialize()` in your application code (relying solely on PHP’s internal session mechanism), you might consider if disabling it is feasible. However, the primary risk is PHP’s internal deserialization of session data, not necessarily direct calls to `unserialize()` in your code.
To mitigate risks related to arbitrary code execution via deserialization, you can add functions like `system`, `exec`, `passthru`, `shell_exec`, `popen`, `proc_open`, and `eval` to `disable_functions`. This is a broad security measure that helps prevent many types of code injection attacks, not just those related to deserialization.
; In php.ini disable_functions = system,exec,passthru,shell_exec,popen,proc_open,eval,unserialize
Important Note: Disabling `unserialize()` directly might break standard PHP session handling if the session handler itself relies on it internally in a way that cannot be bypassed. The primary concern is the *content* being deserialized. If you disable `system`, `exec`, etc., you are preventing the *payload* from executing, which is a more direct mitigation for the code execution aspect of deserialization vulnerabilities.
Mitigation Strategy 3: Secure Session Storage and Configuration
Ensuring that session data is stored securely and that PHP’s session management is configured correctly is paramount. This includes using secure session handlers and enabling strict mode.
Enabling `session.use_strict_mode`
PHP’s `session.use_strict_mode` (available since PHP 5.1.0) is a critical setting. When enabled, PHP will only accept session IDs that were generated by PHP itself. This prevents session fixation attacks where an attacker might try to force a user to use a session ID known to the attacker. While not directly preventing deserialization, it hardens the session management layer, making it harder for attackers to manipulate session IDs and potentially inject data.
; In php.ini session.use_strict_mode = 1
This setting should be enabled in your `php.ini` or via runtime configuration:
<?php
ini_set('session.use_strict_mode', 1);
session_start();
?>
Choosing Secure Session Storage Handlers
The default file-based session storage can be vulnerable if file permissions are not set correctly or if the server is misconfigured. Consider using more secure and robust storage mechanisms like:
- Database Storage: Storing session data in a dedicated database table. This allows for better control over access and can be integrated with application-level security measures.
- Redis/Memcached: In-memory data stores offer high performance and can be configured with strong authentication and network access controls.
- Custom Handlers: Implementing a custom session handler that performs strict validation and sanitization before storing or retrieving data.
If using a custom handler, ensure it implements the `SessionHandlerInterface` and that its `read()` and `write()` methods are secure. For example, a custom handler for Redis might look like this (simplified):
<?php
class RedisSessionHandler implements SessionHandlerInterface {
private $redis;
private $prefix;
public function __construct(Redis $redis, string $prefix = 'sess_') {
$this->redis = $redis;
$this->prefix = $prefix;
}
public function open($savePath, $sessionName) {
// Connection should ideally be managed outside this handler
return true;
}
public function close() {
// Connection should ideally be managed outside this handler
return true;
}
public function read($id) {
$data = $this->redis->get($this->prefix . $id);
if ($data === false) {
return '';
}
// IMPORTANT: No unserialization here if data is untrusted.
// If you must store complex objects, they should be serialized *before*
// being passed to write(), and deserialized *after* being read().
// The key is to control *when* and *how* unserialization happens.
return $data;
}
public function write($id, $data) {
// The $data here is already serialized by PHP's session mechanism.
// If you are storing custom objects, ensure they are serialized *before*
// being assigned to $_SESSION.
// Example: $_SESSION['my_obj'] = serialize($my_object);
// PHP's session handler will then serialize the entire $_SESSION array,
// which might include already serialized strings. This can lead to double serialization.
// The safest approach is to store only primitive types in $_SESSION.
// Store data with an expiration time (e.g., 30 minutes)
return $this->redis->setex($this->prefix . $id, 1800, $data);
}
public function destroy($id) {
return $this->redis->del($this->prefix . $id);
}
public function gc($maxlifetime) {
// Redis handles expiration automatically with setex, so GC might not be needed.
// For file-based or other handlers, this would clean up old sessions.
return true;
}
}
// Usage:
// $redis = new Redis();
// $redis->connect('127.0.0.1', 6379);
// $handler = new RedisSessionHandler($redis);
// session_set_save_handler($handler, true);
// session_start();
?>
In this custom handler, the `read()` method simply returns the raw data. The responsibility of deserializing this data (if it’s meant to be an object) falls on the application logic that retrieves it from `$_SESSION`, where it can be validated. The `write()` method receives data already serialized by PHP’s internal mechanism. The critical point is that if you store custom serialized objects in `$_SESSION`, PHP’s session handler will serialize the entire `$_SESSION` array, potentially leading to double serialization or unexpected behavior if not managed carefully.
Runtime Analysis and Patching Legacy Code
When dealing with legacy systems, a thorough code audit is essential. Look for all instances where `$_SESSION` is written to and read from. Pay close attention to any data that originates from user input (GET, POST, COOKIE, headers) and is subsequently stored in `$_SESSION`. Conversely, examine how data is retrieved from `$_SESSION` and used in application logic, especially if it’s passed to functions that could be exploited.
Patching Example: Sanitizing Input Before Session Storage
If you discover that user-controlled data is being directly serialized and stored, the fix is to sanitize it before storage or to avoid storing it altogether. If you must store complex data structures, ensure they are validated and that no malicious classes can be instantiated.
<?php
session_start();
// Vulnerable code example:
// if (isset($_POST['user_settings'])) {
// $_SESSION['user_settings'] = $_POST['user_settings']; // Direct assignment, potentially malicious serialized object
// }
// Patched code example:
if (isset($_POST['user_settings'])) {
$user_settings_input = $_POST['user_settings'];
// Option 1: If expecting a simple string or array of primitives
if (is_string($user_settings_input)) {
// Sanitize string input
$_SESSION['user_settings'] = filter_var($user_settings_input, FILTER_SANITIZE_STRING);
} elseif (is_array($user_settings_input)) {
// Validate and sanitize array elements
$sanitized_settings = [];
foreach ($user_settings_input as $key => $value) {
// Whitelist keys and validate types
if (in_array($key, ['theme', 'language', 'notifications'])) {
if ($key === 'theme' && is_string($value)) {
$sanitized_settings[$key] = filter_var($value, FILTER_SANITIZE_STRING);
} elseif ($key === 'language' && is_string($value)) {
$sanitized_settings[$key] = filter_var($value, FILTER_SANITIZE_STRING);
} elseif ($key === 'notifications' && is_bool($value)) {
$sanitized_settings[$key] = $value;
}
// Add more specific validations as needed
}
}
$_SESSION['user_settings'] = $sanitized_settings;
} else {
// Log or handle unexpected input type
// Do not store if type is not as expected
}
// Option 2: If you absolutely must store an object, ensure it's a known, safe type
// and that its properties are validated. This is generally discouraged for session data.
// Example: If you expect a UserPreferences object, you would deserialize $_POST['user_settings']
// *before* storing it, validate the resulting object, and then re-serialize it.
// This is complex and error-prone. Sticking to primitives is safer.
}
?>
When retrieving data, always validate its type and structure before using it. This is the second line of defense:
<?php
session_start();
$settings = $_SESSION['user_settings'] ?? [];
$theme = 'light'; // Default
if (is_array($settings) && isset($settings['theme']) && is_string($settings['theme'])) {
// Sanitize output for display
$theme = htmlspecialchars($settings['theme']);
}
echo "<body class='" . $theme . "'>";
// ... rest of the page
?>
Conclusion
Insecure deserialization in PHP session handling is a serious vulnerability that can lead to remote code execution. Mitigating this risk requires a multi-layered approach: rigorous input validation before storing data in sessions, secure session configuration (`session.use_strict_mode`), choosing secure session storage mechanisms, and carefully auditing legacy code for insecure patterns. By treating session data as untrusted input and applying strict validation and sanitization, you can significantly reduce the attack surface and protect your applications from this critical OWASP Top 10 threat.