Object Serialization


The application is vulnerable due to its use of object serialization. Object serialization is used in programming languages to stream an object as bytes across the network.  The byte stream can then be deserialized on the server and converted back into a copy of the original object. Servers that perform deserialization on untrusted data sent from the client are vulnerable to a number of attacks including arbitrary code execution or denial of service.


Applications that deserialize untrusted objects may be exposed to attack. If the object contains sensitive data, it can easily be viewed by the user. An attacker who can send requests to the server can modify the object with malicious content and re-serialize it for consumption by the server. A malicious object can be used to interfere with business logic or to execute code on the server. An attacker who can execute code on the server could install a remote shell and exfiltrate sensitive data. At a minimum, the server could be vulnerable to denial of service attacks.

Risk Rating


How To Test

Sample Report Screenshots

Testing Gotchas



Subscribe here in order to gain access to the AppSec Findings Database


Leave a Reply