Java deserialization
Deserialization is the process of rebuilding a data stream into a Java object. The Open Web Application Security Project (OWASP) has identified insecure deserialization as one of the top ten security vulnerabilities for web applications. Pega Platform protects against this vulnerability by using features in the Java JDK.
Pega Platform white-lists known internal classes. At the system level, a global filter checks a blacklist of classes that are not allowed to be deserialized. If the filter flags a data stream as invalid, a security event is written to the security event log and the stream is not deserialized.
You add classes to the global filter by using the Deserialization
Blacklist landing page. By default, the filter blacklists the following classes:
- com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
- org.apache.commons.collections.functors.InvokerTransformer
- org.apache.commons.collections.functors.InstantiateTransformer
- org.apache.commons.collections4.functors.InvokerTransformer
- org.apache.commons.collections4.functors.InstantiateTransformer
- org.apache.xalan.xsltc.trax.TemplatesImpl
- org.codehaus.groovy.runtime.ConvertedClosure
- org.codehaus.groovy.runtime.MethodClosure
- org.springframework.beans.factory.ObjectFactory