Insecure deserialization occurs when an application reconstructs objects from serialised data (JSON, XML, Java serialized objects, PHP serialized data, Python pickle) without proper validation. If an attacker can control the serialised input, they may be able to manipulate the deserialised object to achieve remote code execution, privilege escalation, or data tampering. Java deserialization vulnerabilities have been behind some of the most impactful breaches in enterprise software. Testing covers: identifying all deserialization points in the application, testing with manipulated serialised objects, evaluating whether the application uses known-vulnerable deserialization libraries, and assessing whether input validation or type-checking prevents exploitation.
Technical2026-08-24
Insecure Deserialization: Remote Code Execution Through Data Processing — 日本企業向けガイド
When applications deserialise untrusted data without validation, attackers can achieve remote code execution. How to test for it. Guidance for JP market.