What is Insecure Deserialization?

Insecure deserialization occurs when applications deserialize untrusted data without validation, potentially allowing attackers to achieve remote code execution, privilege escalation, or data tampering.

What is insecure deserialization?

Insecure deserialization occurs when applications convert serialized data back into objects without proper validation. Attackers craft malicious serialized payloads that, when deserialized by the application, trigger unintended code execution, object manipulation, or injection attacks. This can lead to remote code execution, the most severe vulnerability impact.

How do deserialization attacks work?

Attackers identify endpoints that accept serialized data (Java ObjectInputStream, Python pickle, PHP unserialize, .NET BinaryFormatter). They craft payloads containing gadget chains, sequences of existing class methods that chain together during deserialization to achieve arbitrary code execution, file access, or system command execution.

What are gadget chains in deserialization?

Gadget chains are sequences of existing classes in the application's classpath whose methods, when invoked during deserialization, chain together to perform unintended operations. Tools like ysoserial (Java) and ysoserial.net generate known gadget chains for popular libraries, enabling automated exploitation of deserialization vulnerabilities.

Which languages and frameworks are affected?

Java is most commonly affected due to widespread use of ObjectInputStream and numerous available gadget chains. PHP (unserialize), Python (pickle), Ruby (Marshal), .NET (BinaryFormatter, JavaScriptSerializer), and Node.js (node-serialize) are also vulnerable. Any language with object serialization capabilities can potentially be exploited.

How do you prevent insecure deserialization?

Prevention requires avoiding deserialization of untrusted data entirely, using safe data formats like JSON instead of native serialization, implementing integrity checks (HMAC) on serialized data, using allowlists for deserializable classes, keeping libraries updated to patch known gadget chains, and monitoring deserialization operations for anomalies.

How do you detect deserialization vulnerabilities?

Detection involves identifying serialization endpoints through code review (looking for deserialize function calls), scanning with SAST tools that flag dangerous deserialization patterns, testing with known gadget chain payloads, monitoring for serialization-related exceptions in logs, and using RASP tools that block exploitation attempts at runtime.

What is the impact of insecure deserialization?

Impact ranges from denial of service through resource exhaustion to full remote code execution on the application server. Successful exploitation can grant complete server access, enable lateral movement, allow data exfiltration, and compromise the entire application environment. Remote code execution makes this among the most critical vulnerability classes.

How does insecure deserialization relate to the OWASP Top 10?

Insecure deserialization was listed as a standalone category (A8) in the OWASP Top 10 2017. In the 2021 edition, it was merged into A08: Software and Data Integrity Failures, a broader category encompassing deserialization along with insecure CI/CD pipelines, auto-update mechanisms, and unsigned code or data integrity issues.