Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)
Managed WAF Start at $99

What are Serialization Attacks and How to Prevent Them?

Posted DateSeptember 28, 2021
Posted Time 3   min Read

Serialization attacks are lesser-known threat vectors than other sensationalized threat vectors. They are uncommon too as they require a greater level of expertise for attacks to successfully execute. Serialization vulnerabilities, if successfully exploited by attackers, can lead to data breaches and other cyber-attacks. Given its severity and lethality, as well as, the challenges involved in its prevention, serialization attacks feature on the OWASP Top 10 list of app security risks as insecure deserialization.

In this article, we delve further into these attacks and discuss ways to prevent them.

Serialization Attacks: A Deep Dive

Serialization and Deserialization

To understand how these attacks work, it is important to understand the foundation concepts of and the difference between serialization and deserialization.

Serialization is the process wherein complex data structures such as objects and their fields are transformed into ‘flatter’ formats that can be sent and received as a sequential stream of bytes. Programming languages use either binary or string formats to serialize objects. Popular serialization formats include CSV, JSON and XML.

Serialization is a basic function that is necessary in applications for the easy storage and transfer of data. By transforming complex data structures into flatter formats, serialization reduces the data’s disk space and bandwidth and requirements. It is leveraged in web services, databases, and caching servers.

Deserialization is the reverse process wherein the sequential stream of bytes is read and restored to its original data structure. In other words, it is the process by which an object and its fields are recreated in the memory from the serialized form.

Serialization and deserialization, when implemented securely, are powerful processes for storage and data transfer.

What are Serialization Attacks? How Do They Work?

Suppose an attacker sends a serialized object that is compromised/ contains malicious payload (such as modified JSON payload) to an application or an API endpoint hoping that the user will execute the unvalidated, untrusted input inserted into the application by them.

Serialization attacks occur when the user directly deserializes such unvalidated malicious/ hostile data sent by the attacker into the in-memory structure. The attack is successful because the application has an insecure deserialization vulnerability.

In another scenario of a serialization attack, the attacker may intercept serialized objects in transition between two servers when it is not transferred through a tamper-proof, encrypted channel. This could be dangerous if sensitive data is contained in the object, or its fields is serialized.

The attacker leverages the serialization vulnerability to gain access to the applications/ systems/ networks and/or exfiltrate data. These attacks could lead to remote code execution, data compromise, ransomware attacks, access control attacks, DoS attacks, server crashes, authentication bypass, SQL injections, path traversal, and so on

When is an Application Vulnerable to These Attacks?

In today’s highly interconnected IT environment with extensive dependencies, there is a growing number of classes and methods which are difficult to manage. Attackers could use any of these classes and methods to orchestrate an attack. These growing dependencies are a source of serialization vulnerabilities.

If the application naively deserializes all inputs without checks and validation processes in place, it leaves itself open to insecure deserialization. Serialization of sensitive data too leaves the application at a high risk of attacks.

The application may be vulnerable to these attacks even if both endpoints of serialization and deserialization are controlled by the organization. This could happen if the data transmission is not secured by TLS/ SSL protocols which encrypt data in transit.

An application is vulnerable to serialization attacks if it allows attackers to access interfaces where serialized data is loaded. For instance, if web session information is stored in a client cache using cookies, the user has access to the cookie data. The attacker could leverage this access to tamper with cookies, say, changing the access controls and gaining access to the system.

Preventing Serialization Attacks  

  • Serialization of sensitive data must be avoided. Wherever possible, developers should write class-specific serialization methods to ensure that sensitive fields and internal states are not exposed to the serialization stream.
  • Deserialization of input data must be avoided, unless absolutely necessary. Deserialization of untrusted and unvalidated inputs must strictly be avoided. Intelligent Web Application Firewalls (WAFs), digital signatures and other robust security measures must be used to ensure serialized objects have not been tampered with.
  • Isolate and run deserialized objects/ code in secure, low-privilege environments.
  • Maintain a log with deserialization failures and exceptions.
  • Onboard a security solution that combines intelligent automation with the trusted expertise of certified security professionals.

The Bottomline  

Serialization and deserialization are powerful tools but need to be securely executed to ensure they aren’t counterproductive. Managed, and intuitive security solutions from Indusface use a combination of blacklisting and whitelisting models, profiling, behavior and pattern analytics, intuitive WAF with customized and regularly tuned policies and threat intelligence to harden applications against serialization attacks.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

web application security banner



Spread the love

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Phishing Attack Simulation
Tips to Prepare for an Effective Phishing Attack Simulation

94% of malware comes via email and 32% of security breaches in 2019 included phishing, according to statistics, and while there has been a big improvement in the way SMEs.

Spread the love

Read More
Georgia Web Attack
Georgia Web Attack: Overview of The Attack

You may be aware of the massive cyber-attack that hit the country of Georgia on October 28, 2019, defacing and taking several websites and web-based services offline. This is one.

Spread the love

Read More
CISO Responsibilities
CISO Responsibilities and Questions to Ask

Beefing up the security of your website is a necessity in today’s rapidly-changing digital landscape, but do you need a CISO?

Spread the love

Read More


Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Know More Take Free Trial


Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!