# Insecure deserialization ## What is it? Insecure Deserialization attacks occur when an attacker is able to manipulate serialized (formatted for storage or transmission) objects in order to change the application's intended flow or to execute arbitrary code. These attacks exploit weaknesses in the way applications deserialize input data, typically by inserting malicious data that is interpreted as a valid object by the target system. Serialization is the process of turning an object into a format that can be transmitted or stored, and deserialization is the reverse process - turning serialized data back into an object. If an application doesn't properly validate or sanitize the serialized objects before deserializing them, it can lead to several types of attacks, such as: * Remote Code Execution (RCE) * Replay attacks * Injection attacks * Privilege escalation attacks Insecure deserialization can occur in any programming language that supports serialized objects, but some common languages where these vulnerabilities often occur include Java, PHP, Python, and .NET. For more details on specific insecure deserialization attacks and mitigations, see the relevant child pages. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.