What are the security risks of deserialization and how do you mitigate them?
Rebuilding an object from attacker-controlled bytes can run code: a crafted serialized blob makes the app instantiate dangerous objects during deserialization, leading to RCE. Don't deserialize untrusted data; if you must, enforce signatures and a strict allowlist of expected classes.
* Deserialization gadget chain — untrusted bytes instantiate objects whose chained calls reach a system command, giving remote code execution. *
Serialization converts objects to byte streams for storage/transmission. Deserialization reconstructs objects from byte streams.
This is the classic mechanism behind A08 integrity failures: e.g. a Java app that deserializes a user-supplied object can be tricked into executing a "gadget chain" of library calls that ends in running a system command — all from data the app naively trusted.
Risks:
- Attacker can manipulate serialized data
- Malicious objects execute code upon deserialization
- Can lead to RCE (Remote Code Execution)
Countermeasures:
- Avoid deserialization of untrusted data
- No untrusted sources for serialized data
- Integrity checks (digital signatures)
- Type constraints - only allow expected classes
- Isolate deserialization code
- Log exceptions and failures
- Restrict and monitor network access
Go deeper:
OWASP Deserialization Cheat Sheet — language-specific safe-deserialization guidance (Java, .NET, PHP, Python).