Reducing the Insecure Deserialization Risk
By My Apostolos Giannakidis, Security Architect, Waratek
Reducing the Insecure Deserialization Risk
Serializing and deserializing data is a common operation in many web application, mainly due to the
speed and ease with which data can be moved between applications. However, what was thought to be
an efficient process has turned into a vulnerability nightmare over the last few years, mainly for Java
applications, but .NET, PHP, and Ruby have also seen headlines from insecure deserialization attacks.
The deserialization problem occurs when applications deserialize data from untrusted sources and is one
of the most widespread security vulnerabilities to occur over the last couple years.
A brief background
Serialization, or marshalling, is the process of converting a memory object into a stream of bytes in order
to store it into the filesystem or transfer it to another remote system. Deserialization, also known as
unmarshalling, is the reverse process that converts the serialized stream of bytes back to an object in
the memory of the machine. All main programming languages provide facilities to perform native
serialization and deserialization and most of them are inherently unsafe.