Insecure Deserialization

Insecure Deserialization occurs when an application deserializes untrusted data without proper validation. Attackers can manipulate serialized objects to achieve denial of service, access control bypass, or remote code execution.

How It Works

// Application receives serialized data
data = request.get("session")

// Deserializes without validation
obj = deserialize(data)  // DANGEROUS!

// Attacker crafts malicious serialized object
// Object's methods execute during deserialization

Impact

• Remote Code Execution: Via gadget chains
• Privilege Escalation: Modifying user role in session
• Data Tampering: Changing prices, quantities
• DoS: Resource exhaustion during deserialization

Vulnerable Technologies

• Java: ObjectInputStream, XStream, Jackson
• PHP: unserialize()
• Python: pickle, PyYAML
• Ruby: Marshal.load()
• .NET: BinaryFormatter, JSON.NET with TypeNameHandling

Prevention

• Don't deserialize untrusted data
• Use safe serialization formats (JSON without type handling)
• Implement integrity checks (HMAC) on serialized data
• Use allowlists for deserialization classes
• Keep libraries updated

PentesterLab Exercises

• Pickle Deserialization
• Java Deserialization

See Also

• Gadget Chain
• Python Pickle
• Ruby Marshal