LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What are the security risks of deserialization and how do you mitigate them?

Rebuilding an object from attacker-controlled bytes can run code: a crafted serialized blob makes the app instantiate dangerous objects during deserialization, leading to RCE. Don't deserialize untrusted data; if you must, enforce signatures and a strict allowlist of expected classes.

Deserializing untrusted bytes instantiates objects that form a gadget chain ending in a system command (RCE).

* Deserialization gadget chain — untrusted bytes instantiate objects whose chained calls reach a system command, giving remote code execution. *

Serialization converts objects to byte streams for storage/transmission. Deserialization reconstructs objects from byte streams.

This is the classic mechanism behind A08 integrity failures: e.g. a Java app that deserializes a user-supplied object can be tricked into executing a "gadget chain" of library calls that ends in running a system command — all from data the app naively trusted.

Risks:

  • Attacker can manipulate serialized data
  • Malicious objects execute code upon deserialization
  • Can lead to RCE (Remote Code Execution)

Countermeasures:

  • Avoid deserialization of untrusted data
  • No untrusted sources for serialized data
  • Integrity checks (digital signatures)
  • Type constraints - only allow expected classes
  • Isolate deserialization code
  • Log exceptions and failures
  • Restrict and monitor network access

Go deeper:

From Quiz: SPRG / OWASP Top 10 | Updated: Jul 05, 2026