Insecure Deserialization

Insecure deserialization occurs when an application deserializes (reconstructs objects from serialized data) untrusted input without adequate validation. Attackers can manipulate serialized objects to alter application logic, escalate privileges, or achieve remote code execution through "gadget chains" — sequences of existing class methods that, when triggered during deserialization, perform malicious actions.

This vulnerability affects applications using native serialization in languages like Java (ObjectInputStream), PHP (unserialize), Python (pickle), Ruby (Marshal), and .NET (BinaryFormatter). It can also appear in applications that use insecure JSON deserialization with type information.

Exploitation typically requires knowledge of the application's class path and available libraries, but public gadget chain databases (like ysoserial for Java) make exploitation accessible. The impact ranges from denial of service to full remote code execution.

How APVISO tests for this: APVISO's scanner agent identifies serialized data in cookies, API parameters, and hidden form fields, then tests with known gadget chain payloads for the detected technology stack. It monitors for out-of-band callbacks to confirm exploitation.