PHP unserialize() used on user input
Description
Manual confirmation is required for this alert.
This application uses PHP's unserialize() function to process user-controlled input, which can lead to serious security vulnerabilities. When unserializing data, PHP automatically invokes magic methods such as __wakeup() and __destruct() on object instances. Attackers can exploit this behavior by crafting malicious serialized payloads that trigger unintended code execution paths, manipulate application logic, or cause denial of service conditions. This vulnerability is particularly dangerous because it allows attackers to instantiate arbitrary classes and control object properties during the deserialization process.
Remediation
Avoid using unserialize() on user-controlled input entirely. Implement the following secure alternatives:
1. Use JSON for data serialization: Replace unserialize() with json_decode(), which only handles data structures and cannot instantiate objects:
// Instead of: $data = unserialize($_POST['user_data']); // Use: $data = json_decode($_POST['user_data'], true);
2. If object deserialization is absolutely necessary:
- Implement cryptographic signing (HMAC) to verify data integrity before deserialization
- Use allowed_classes parameter (PHP 7.0+) to restrict which classes can be instantiated:
$data = unserialize($input, ['allowed_classes' => ['SafeClass1', 'SafeClass2']]);
3. Validate and sanitize: If unserialize() cannot be avoided, implement strict input validation and consider using a whitelist approach to verify the serialized data structure before processing.
4. Apply defense in depth: Ensure magic methods (__wakeup, __destruct, __toString, etc.) in your classes do not perform dangerous operations or access sensitive resources.