What is Insecure deserialization?

In this section, we’ll cover what insecure deserialization is and describe how it can potentially expose websites to high-severity attacks. We’ll highlight typical scenarios and demonstrate some widely applicable techniques using concrete examples of PHP, Ruby, and Java deserialization | Karthikeyan Nagaraj

What is serialization?

Serialization is the process of converting complex data structures, such as objects and their fields, into a “flatter” format that can be sent and received as a sequential stream of bytes. Serializing data makes it much simpler to:

• Write complex data to inter-process memory, a file, or a database
• Send complex data, for example, over a network, between different components of an application, or in an API call

Crucially, when serializing an object, its state is also persisted. In other words, the object’s attributes are preserved, along with their assigned values.

Serialization vs deserialization