Insecure Deserialisation

Insecure deserialisation occurs when an application does not properly validate or sanitize untrusted input during the deserialization process, leading to arbitrary code execution and denial of service. Deserialization is the process of converting serialized data (e.g., from JSON, XML, or other formats) back into an object or data structure that can be used within a program.

Remediation

Where possible avoid using untrusted data in serialisation process.
Use safe libraries that segregate data from the code during deserialisation and perform contextual escaping.

Metadata

Severity: critical
Slug: insecure-deserialisation

CWEs

502: Deserialization of Untrusted Data

OWASP

A03:2021: Injection
A8:2017: Insecure Deserialization

Available Labs

Open Python labs in SecDim Play for this vulnerability.

easy

Deserialization.py

Python Easy

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.