TechTarget.com/searchsecurity

https://www.techtarget.com/searchsecurity/definition/insecure-deserialization

insecure deserialization

By Alexander S. Gillis

What is insecure deserialization?

Insecure deserialization is a vulnerability in which untrusted or unknown data is used to inflict a denial-of-service attack, execute code, bypass authentication or otherwise abuse the logic behind an application.

Serialization is the process that converts an object to a format that can later be restored. Deserialization is the opposite process, which takes data from a file, stream or network and rebuilds it into an object.

Serialized objects can be structured in text, such as JSON, XML or YAML. Serialization and deserialization are safe, common processes in web applications. However, an attacker can abuse the deserialization process if it's left insecure. Attackers could, for example, inject hostile serialized objects into a web app, where the victim's computer would initialize deserialization of the hostile data. Attackers could then change the angle of attack, making insecure deserialization the initial entry point to a victim's computer.

How to detect insecure deserialization

It is hard to detect attacks caused by insecure deserialization because the process of deserialization uses common code libraries found in web development. Some ways to identify insecure deserialization include the following:

How to avoid insecure deserialization

Use the following best practices to avoid insecure deserialization:

07 Aug 2023

All Rights Reserved, Copyright 2000 - 2025, TechTarget | Read our Privacy Statement