ShieldReport
HomeWhat We CheckToolsWikiCompareRoadmapPricingBlogSign InRun Free Scan
Run Scan
HomeWhat We CheckToolsWikiCompareRoadmapPricingBlogSign In
← Back to Wiki

Insecure Deserialization

critical
A08:2021CWE-502Injection

What is Deserialization?

Insecure deserialization occurs when applications deserialize data from untrusted sources without validation, allowing attackers to manipulate serialized objects.

How it works

An attacker modifies serialized objects (Java, PHP, Python, .NET) to include malicious payloads. When the application deserializes this data, it executes the attacker's code or alters application logic.

Impact

Remote code execution, privilege escalation, injection attacks, replay attacks, and denial of service.

How ShieldReport detects this

ShieldReport identifies serialization formats in HTTP traffic and tests with known gadget chains for Java, PHP, and .NET applications.

How to fix it

Never deserialize untrusted data. Use simple data formats like JSON. Implement integrity checks (digital signatures) on serialized objects. Monitor deserialization exceptions.

Tags

injectionrcejavaowasp-top-10

Is your site vulnerable to Deserialization?

Run a free scan to find out in under 2 minutes.

Scan Now
ShieldReport

Website security scanning and reporting for developers, teams, and agencies.

ShieldReport - Security reports done in minutes which developers understand | Product Hunt

Product

  • Free Security Scan
  • What We Check
  • Pricing
  • Sample Report

Resources

  • Security Blog
  • FAQ
  • Website Security Checklist
  • CSP Guide

Topics

  • Security Headers
  • TLS Configuration
  • OWASP Top 10
  • Vulnerability Scanning

© 2026 ShieldReport. All rights reserved.

Run Free ScanPricingBlogSitemapRSS Feed