Insecure Deserialization

Serialization is the process of taking an object and turning it into a data format that can be stored, so that it later can be fetched and deserialized back into an object. Some common data formats for serializing data are JSON (JavaScript Object Notation) and XML (eXtensible Markup Language); however, several programming languages today contain support for deserialization with more capabilities than JSON or XML. These deserialization features can also be used for malicious purposes, if they are operating on untrusted data.[1]

Insecure Deserialization vulnerabilities often lead the risk of leading to RCE (Remote Code Execution), DoS (Denial of Service), or privilege escalation.

To exploit this type of vulnerability, one must find somewhere in the target service where deserialization is used. The following table[2] specifies some hints that applications give, depending on the underlying technology:

Technology Hint
Java HTTP header “application/x-java-serialized-object”
  Sequence “r0O” in base64 encoded data
  HEX signature “AC ED 00 05”
C#/.NET Sequence “AAEAAAD/////” in base64 encoded data
  “Type-Object” in client-side code
  “$type:” in client-side code

You can find more information in the book “The Penetration Tester’s Guide to Web Applications” by Serge Borso. If you have a KTH account, you can access it here.


[1] Deserialization Cheat Sheet. OWASP. (Fetched 2021-03-30)
[2] Borso, Serge. (2019). The Penetration Tester’s Guide to Web Applications (Artech House information security and privacy series). Norwood: Artech House. Link to KTH Library.