Insecure deserialization definition
Insecure deserialization is a vulnerability in cybersecurity that arises when data controlled by an attacker is processed without proper validation.
When data is serialized, it’s converted into a format that can be easily stored or transmitted. Deserialization is the opposite process, where the serialized data is converted back into its original form for use by the application.
See also: privilege escalation, code injection
Dangers of insecure deserialization
- Remote code execution. Attackers can manipulate serialized data to execute arbitrary code on the targeted system.
- Denial-of-service attack. By sending specially crafted serialized data, an attacker can overload the system, causing resource exhaustion or triggering infinite loops.
- Data tampering. Insecure deserialization can allow attackers to modify serialized data in transit or storage, leading to data tampering or integrity violations. This can have severe consequences, such as unauthorized data modifications, compromised data integrity, or fraudulent transactions.
- Authentication bypass. Attackers may leverage insecure deserialization to bypass authentication mechanisms and gain unauthorized access to protected resources or privileged functionalities within an application.
- Privilege escalation. Exploiting insecure deserialization can enable attackers to elevate their privileges within an application or system. They can abuse the trust placed in deserialized data to gain elevated permissions, compromising the security and confidentiality of sensitive information.
- Injection attacks. Attackers may inject malicious payloads into serialized data to exploit vulnerabilities in downstream processes or components that rely on the deserialized data.