Skip to content

Avoiding Insecure Serialization & Deserialization​

Published on

Java has many ways of serializing and deserializing data. Deserializing untrusted data with an insecure deserializer can lead to remote code execution and complete system compromise. Serializing without the proper attributes can expose sensitive data. Learn the risk of exposing sensitive data via serialization, explore unsafe and safe methods for serialization with Java, investigate unsafe and safe methods for deserialization using both Java's native binary format and JSON, and prevent serialization/deserialization vulnerabilities by validating the data types being deserialized.