Insecure Deserialization
Also known as: Object Injection
Insecure Deserialization occurs when an application deserializes attacker-controllable data using a mechanism that can instantiate arbitrary objects or invoke methods during reconstruction. Depending on the language and available gadget chains, this can lead to remote code execution, authentication bypass, or data tampering.
How it works
- 1The application accepts serialized objects from the client (cookies, tokens, message queues).
- 2It deserializes them with an unsafe deserializer that can construct arbitrary types.
- 3The attacker crafts a payload leveraging a gadget chain in the app's dependencies.
- 4Deserialization triggers the chain, executing code or altering trusted state.
Example
Signs of risk:
- Java: readObject on ObjectInputStream with untrusted bytes
- Python: pickle.loads on user data
- .NET / PHP: BinaryFormatter / unserialize on client inputImpact
Insecure deserialization frequently yields remote code execution and is difficult to exploit blindly but severe when achievable.
Remediation
- Never deserialize untrusted data with type-permissive deserializers.
- Use data-only formats (JSON) with strict schemas instead of native object serialization.
- If unavoidable, enforce type allowlists and integrity checks (signed payloads).
- Keep dependencies patched to remove known gadget chains.
Detection & testing
Identify endpoints accepting serialized blobs; test with known gadget probes and out-of-band callbacks. Validate exploitability safely.
Impactr tests for Insecure Deserialization the way an attacker would - investigating, chaining it with related flaws, and proving impact with a reproducible exploit before it reaches your report.
Test my app for Object InjectionTools
Frequently asked questions
Is JSON parsing vulnerable to insecure deserialization?
Plain JSON parsing into data structures is generally safe. Risk appears when a library maps JSON to arbitrary types (polymorphic deserialization) or when native binary serializers are used on untrusted input.