Insecure Deserialization
detect, understand, remediate
Insecure deserialization allows attackers to manipulate serialised objects to achieve remote code execution, privilege escalation, or injection attacks when the application deserialises untrusted data.
No credit card required. Free plan available forever.
What is insecure deserialization?
Insecure deserialization occurs when an application deserializes (reconstructs objects from a byte stream) data from untrusted sources without adequate validation. Attackers can manipulate serialized objects to achieve remote code execution, privilege escalation, injection attacks, or denial of service.
Serialization is used extensively in modern applications; session tokens, API messages, caching layers, and inter-service communication all rely on converting objects to and from transportable formats. When these serialized streams are exposed to user control, attackers can tamper with object properties, class types, or method invocations embedded in the data.
The consequences are severe because deserialization often occurs before any application-level validation. A crafted payload can trigger arbitrary code execution the moment the object is reconstructed, giving the attacker the same privileges as the application process, frequently root or SYSTEM.
How it works
Identify serialized data
Attacker finds serialized objects in cookies, hidden form fields, API parameters, or message queues, often recognisable by Base64 encoding or binary headers.
Analyse object structure
The attacker reverse-engineers the serialized format to understand class types, properties, and available gadget chains within the application's classpath.
Craft malicious payload
A tampered serialized object is created that exploits existing classes (gadget chains) to execute arbitrary commands during deserialization.
Code executes on server
When the application deserializes the payload, the gadget chain fires and the attacker's code runs with full application privileges.
Common causes
Deserializing untrusted data
Accepting serialized objects from user-controlled sources (cookies, request bodies, message queues) without verifying their integrity or origin.
Using unsafe serialization libraries
Languages like Java (ObjectInputStream), Python (pickle), PHP (unserialize), and Ruby (Marshal) can execute arbitrary code during deserialization.
Missing integrity checks
Serialized data transmitted without HMAC signatures or encryption allows attackers to tamper with objects in transit without detection.
Broad class availability
Having many classes on the classpath (especially utility libraries like Apache Commons) increases the number of available gadget chains for exploitation.
How to detect it
Automated detection
- SecPortal's code scanner identifies calls to unsafe deserialization functions (pickle.loads, ObjectInputStream, unserialize) in source code
- SCA scanning detects known deserialization vulnerabilities in third-party libraries and frameworks
- Authenticated scanning can detect serialized tokens in cookies and session data that may be vulnerable to tampering
Manual testing
- Inspect cookies and request parameters for Base64-encoded or binary serialized objects (look for Java magic bytes, PHP serialized strings)
- Use tools like ysoserial (Java) or phpggc (PHP) to generate deserialization payloads and test for code execution
- Modify serialized object properties (e.g. changing role from "user" to "admin") to test for privilege escalation
How to fix it
Do not deserialize untrusted data
The safest approach is to avoid deserializing data from untrusted sources entirely. If you must accept structured data, use safe formats like JSON with explicit schema validation.
Use safe serialization formats
Replace native serialization (Java Serializable, Python pickle) with language-agnostic formats like JSON or Protocol Buffers that do not support arbitrary code execution.
Implement integrity checks
Sign all serialized data with HMAC before transmitting and verify the signature before deserializing. Reject any data that fails integrity validation.
Isolate deserialization processes
Run deserialization in a sandboxed environment with minimal privileges. Use allow-lists for permitted classes and reject any unexpected types.
Monitor and log deserialization activity
Log all deserialization events and alert on failures, unexpected types, or abnormal payload sizes that may indicate exploitation attempts.
Compliance impact
Detect deserialization issues in code
SecPortal's SAST scanner identifies unsafe deserialization patterns across Java, Python, PHP, and more. Start free.
No credit card required. Free plan available forever.