🌐
OWASP Foundation
owasp.org › www-community › vulnerabilities › Insecure_Deserialization
Insecure Deserialization | OWASP Foundation
Insecure Deserialization is a type of vulnerability that arises when untrusted data is used to abuse the logic of an application’s deserialization process, allowing an attacker to execute code, manipulate objects, or perform injection attacks.
🌐
OWASP
owasp.org › www-project-top-ten › 2017 › A8_2017-Insecure_Deserialization
OWASP Top Ten 2017 | A8:2017-Insecure Deserialization | OWASP Foundation
A8:2017-Insecure Deserialization on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
Discussions
Did I Waste Time Starting in Full Stack Before Cybersecurity?
No, you didn't waste your time - it's generally a good idea to know and understand IT and Programming before stepping into a cyber role, and will definitely help with things like AppSec, white box pentesting, etc. More on reddit.com
🌐 r/cybersecurity
20
44
March 1, 2026
I'm not sure what tool I can even use for my assignment?
Try SQLMap for sql injection through the command line. Lots of tutorials online will actually use Juice Shop to demonstrate SQLMap. More on reddit.com
🌐 r/tryhackme
9
8
May 31, 2023
Videos
01:17:21
🌐 YouTube
OWASP Toronto | The Current State of Insecure Deserialization ...
December 15, 2022
140
19:07
🌐 YouTube
Insecure Deserialization For Beginners - YouTube
November 15, 2021
12:04
🌐 YouTube
OWASP insecure deserialization explained with examples - YouTube
February 28, 2020
17.4K
10:49
🌐 YouTube
How Hackers Hack using Cookies??|| what is Insecure Deserialization ...
February 24, 2023
48
🌐 youtube.com
OWASP TOP 10 insecure deserialization - Explained with ...
11:34
🌐 YouTube
OWASP Top 10: Insecure Deserialization - YouTube
April 10, 2021
120
View all
View all
🌐
OWASP Cheat Sheet Series
cheatsheetseries.owasp.org › cheatsheets › Deserialization_Cheat_Sheet.html
Deserialization - OWASP Cheat Sheet Series
var suspectObject = myBinaryFormatter.Deserialize(untrustedData); //Check below is too late! Execution may have already occurred. if (suspectObject is SomeDangerousObjectType) { //generate warnings and dispose of suspectObject } For JSON.Net it is possible to create a safer form of allow-list control using a custom SerializationBinder. Try to keep up-to-date on known .Net insecure deserialization gadgets and pay special attention where such types can be created by your deserialization processes.
🌐
OWASP Foundation
owasp.org › www-community › vulnerabilities › Deserialization_of_untrusted_data
Deserialization of untrusted data | OWASP Foundation
The following is an example from Adobe’s BlazeDS AMF deserialization vulnerability (CVE-2011-2092). You can specify arbitrary classes and properties for a BlazeDS application to deserialize. This particular payload creates an instance of a JFrame object on the target server.
🌐
ImmuniWeb
immuniweb.com › blog › OWASP-insecure-deserialization.html
OWASP Top 10 in 2017: Insecure Deserialization Security Vulnerability Practical Overview | Cybercrime Investigations Weekly
April 19, 2021 - Insecure Deserialization is #8 in the current OWASP Top Ten Most Critical Web Application Security Risks. It is difficult to exploit, but successful attacks can lead to remote code execution.
🌐
Detectify
blog.detectify.com › home › best practices › owasp top 10: insecure deserialization
OWASP TOP 10: Insecure Deserialization- Blog Detectify
July 17, 2023 - Insecure Deserialization is one of the OWASP‘s Top 10 list vulns and allows attackers to transfer a payload using serialized objects.
🌐
GitHub
github.com › OWASP › Serverless-Top-10-Project › blob › master › 2018 › en › 0xS8-insecure-deserialization.md
Serverless-Top-10-Project/2018/en/0xS8-insecure-deserialization.md at master · OWASP/Serverless-Top-10-Project
As usual, the business impact depends on the application and the data it handles. Insecure deserialization usually results in running arbitrary code that could eventually lead to data leakage and, in severe cases, even resource and account control.
Author   OWASP
🌐
Veracode
docs.veracode.com › manage risk › review findings › resolve findings › prevent general attacks › prevent insecure deserialization attacks
Prevent insecure deserialization attacks | Veracode Docs
4 weeks ago - Insecure deserialization has been ranked as #8 on the OWASP Top Ten List of web applications most critical security risks since 2017, along with other risks such as an injection vulnerability.
Find elsewhere
🌐
Wallarm
wallarm.com › what › a8-insecure-deserialization-2017-owasp
A8: Insecure Deserialization ❗️ - Top 10 OWASP 2017
April 8, 2025 - ‌Insecure serialization has historically been seen as a super hard to grasp vulnerability, almost like a black box but while it does contain it’s challenges, so does every other issue type on the OWASP top 10. serialization is a technique used to convert an object into a byte stream for it to be stored somewhere or passed on to another system. As these serialized objects undergo deserialization, dangerous issues might arise.
🌐
Owasp-juice
help.owasp-juice.shop › part2 › insecure-deserialization.html
Insecure Deserialization · Pwning OWASP Juice Shop
These native formats usually offer more features than JSON or XML, including customizability of the serialization process. Unfortunately, the features of these native deserialization mechanisms can be repurposed for malicious effect when operating on untrusted data.
🌐
GitHub
github.com › OWASP › Top10 › blob › master › 2017 › en › 0xa8-insecure-deserialization.md
Top10/2017/en/0xa8-insecure-deserialization.md at master · OWASP/Top10
Object and data structure related attacks where the attacker modifies application logic or achieves arbitrary remote code execution if there are classes available to the application that can change behavior during or after deserialization.
Author   OWASP
🌐
Kiuwan
kiuwan.com › blog › owasp-top-10-2017-a8-insecure-deserialization
OWASP Top 10 2017: A8 Insecure Deserialization | Kiuwan
July 23, 2024 - In 2017, OWASP added a new vulnerability to the Top 10 list: A8 Insecure Deserialization, in place of the previous #8 vulnerability, Cross-Site Request Forgery.
🌐
PortSwigger
portswigger.net › web-security › deserialization
Insecure deserialization | Web Security Academy
In short, it can be argued that it is not possible to securely deserialize untrusted input. The impact of insecure deserialization can be very severe because it provides an entry point to a massively increased attack surface.
🌐
PVS-Studio
pvs-studio.com › en › docs › warnings › v5611
V5611. OWASP. Potential insecure deserialization vulnerability. Potentially tainted data is used to create an object using deserialization.
July 7, 2021 - The intruder will not be able to get higher privileges by changing the value of the 'isAdmin' property in the file. This will fix the problem of unsecure deserialization in the described example. For more robust protection against this type of vulnerabilities, follow a few more rules, listed in the relevant OWASP Top 10 section.
🌐
ASPIA InfoTech
aspiainfotech.com › home › insecure deserialization owasp top-10 2017: critical cybersecurity concern
Insecure Deserialization Owasp Top-10 2017: Critical Cybersecurity Concern - ASPIA InfoTech
July 31, 2024 - In order to properly address these ... Insecure deserialization occurs when untrusted data is used to abuse the logic of an application, leading to unexpected behaviour or security breaches....
🌐
The Hackerish
thehackerish.com › home › insecure deserialization explained with examples
Insecure Deserialization explained with examples - thehackerish
April 22, 2021 - In this section, we will explore many known CVEs which exploited this vulnerability. Some of them are insecure deserialization bug bounty reports from Hackerone. How to exploit it? This is where you will learn to go beyond running tools. You will perform white box testing and build custom code to solve a challenge on OWASP WebGoat.
🌐
Contrast Security
contrastsecurity.com › glossary › insecure-deserialization
What is Insecure Deserialization?
Insecure deserialization vulnerabilities was listed as 8th on the OWASP list of Top 10 Web Application Security Risks in 2017. Insecure Deserialization is now part of a larger category in 2021, Software and Data Integrity Failures.
🌐
OWASP
mas.owasp.org › MASWE-0088
MASWE-0088: Insecure Object Deserialization
You're being redirected to a new destination
🌐
Stack Exchange
security.stackexchange.com › questions › 189358 › understanding-owasp-2017-a8-insecure-deserialization
penetration test - Understanding OWASP 2017 A8 Insecure Deserialization - Information Security Stack Exchange
Top answer
1 of 1
2

Tldr: Clear distinction between vulnerabitily classes ist not always possible.

To look at "insecure serialization" in a different way first:
From the description, Owasps "insecure serialization" is a bit of a foggy mix of (imo) 3 separate problems:

  • A specific subsection of plain untrusted input values for the very first - who cares about serialization formats. In your code block, the admin:true (and the server believing this value) is the problem, nothing else. If it stands alone, outside of any Json etc., it's still the same problem.
  • Still untrusted input, but another section: Exchanging code (classes, methods...). If there is some dependency injection going on for a EncryptionAlgorithmInterface, and the available implementations are None, DES, AES256 and so on - what could I do with the serialized object? Changing the algorithm to none and then find a place where I can read the data while send over the internet.
  • Problems by definition in the serializer itself. What if send a never-ending stream of [[[[[[[[[[[[[[[... to a web service expecting Json (ie. Array of array of array of... and the values and closing ] are never sent)? A simple implementation will quickly reach a stack overflow (error, not website), crashing the server process.

Your Json web token link...

  • is at least untrusted input.
  • It also is (Owasps) insecure serialization, but really, who cares - the problem again is not the data format.
  • After the explanation was written, it also became "running components with known vulnerabilities".
  • Not in Owasps Top10, but it is also a protocol definition problem.
  • ...

Finally, about the part of native serialization that offers more than Json etc.: Well, partially - but this doesn't make eg. PHPs version secure.

In Java it is possible to take an object, write it's complete state to an byte array (that is, current member variable content (both simple types as well as other objects), but also executable binary code in some situations, etc.) and then recreate everything from this byte array. Access to a serialized Java method that will be executed later is of course very nice for doing bad things. And if there is none, introducing one that will be called because of its name at some point (eg. equals) is easy too.

In PHP, there is not such a straightforward way to save and load executable code parts like the runtime has them in memory, so abusing this is not possible. However, names of other methods to call might still be in there. That's not as convenient, but still nice.

🌐
DevCentral
community.f5.com › kb › technicalarticles › lightboard-lessons-owasp-top-10---insecure-deserialization › 281509
Lightboard Lessons: OWASP Top 10 - Insecure Deserialization
A community of F5 experts collaborating to solve challenges, share ideas, and discuss industry trends.
Related queries
a8 insecure deserialization
insecure deserialization example
java deserialization vulnerability fix
insecure deserialization hacktricks
java insecure deserialization
insecure deserialization owasp 2021
unsafe deserialization fix java
insecure deserialization hackerone