AppSecExplained
  • Index < START HERE
    • My courses
    • How to get started from zero
  • 📽️Live Stream Content
    • Resource of the week
  • Discovery / Recon
    • Methodology
    • Content discovery / recon
      • Subdomains
      • Endpoints
      • Parameters
      • Spidering
  • Common vulns
    • SQL injection overview
      • Detection
      • Blind SQLi
      • Second-order SQLi
      • SQLi lab setup & writeups
    • NoSQL injection
    • JavaScript injection (XSS)
      • XSS Methodology
    • File Inclusion
      • Local file inclusion
        • Directory traversal
    • Command injection
    • XXE (XML external entity) injection
      • Blind XXE
    • Template injection
      • Server-side template injection
      • Client-side template injection
    • Authentication
      • Attacking password-based authentication
      • Attacking MFA
      • Authentication lab setup & writeups
    • Cross-Site Request Forgery (CSRF)
    • Insecure deserialization
      • PHP
      • Java
      • Python
      • .NET
    • Server-side request forgery (SSRF)
    • Insecure file upload
    • Clickjacking
    • Open redirect
    • Vulnerable components
    • Race conditions
      • Limit overrun
    • Prototype pollution
      • Client-side prototype pollution
    • APIs
      • API: BOLA
      • API: Broken authentication
      • BOPLA
      • API: BFLA
  • Bypassing controls
    • Rate limiting
    • WAF Bypasses
  • Scripts
    • Docker-compose.yml files
      • Wordpress
      • SQLi testing labs
    • PHP scripts
      • RCE Function Check
    • Wordlists
      • Single characters
      • SQLi
  • Code review
    • Getting started
    • Sinks
  • Links worth your time
    • Practical API Hacking
    • Rana Khalil's Web Security Academy Course
    • Portswigger's Web Security Academy
    • TCM Security Discord
    • PentesterLand Writeups
Powered by GitBook
On this page

Was this helpful?

  1. Common vulns

Insecure deserialization

What is it?

Insecure Deserialization attacks occur when an attacker is able to manipulate serialized (formatted for storage or transmission) objects in order to change the application's intended flow or to execute arbitrary code. These attacks exploit weaknesses in the way applications deserialize input data, typically by inserting malicious data that is interpreted as a valid object by the target system.

Serialization is the process of turning an object into a format that can be transmitted or stored, and deserialization is the reverse process - turning serialized data back into an object. If an application doesn't properly validate or sanitize the serialized objects before deserializing them, it can lead to several types of attacks, such as:

  • Remote Code Execution (RCE)

  • Replay attacks

  • Injection attacks

  • Privilege escalation attacks

Insecure deserialization can occur in any programming language that supports serialized objects, but some common languages where these vulnerabilities often occur include Java, PHP, Python, and .NET.

For more details on specific insecure deserialization attacks and mitigations, see the relevant child pages.

PreviousCross-Site Request Forgery (CSRF)NextPHP

Last updated 1 year ago

Was this helpful?