Insecure deserialization

What is it?

Insecure Deserialization attacks occur when an attacker is able to manipulate serialized (formatted for storage or transmission) objects in order to change the application's intended flow or to execute arbitrary code. These attacks exploit weaknesses in the way applications deserialize input data, typically by inserting malicious data that is interpreted as a valid object by the target system.

Serialization is the process of turning an object into a format that can be transmitted or stored, and deserialization is the reverse process - turning serialized data back into an object. If an application doesn't properly validate or sanitize the serialized objects before deserializing them, it can lead to several types of attacks, such as:

  • Remote Code Execution (RCE)

  • Replay attacks

  • Injection attacks

  • Privilege escalation attacks

Insecure deserialization can occur in any programming language that supports serialized objects, but some common languages where these vulnerabilities often occur include Java, PHP, Python, and .NET.

For more details on specific insecure deserialization attacks and mitigations, see the relevant child pages.

Last updated