HIGH Insecure Deserialization

Insecure Deserialization in APIs

Q: What makes deserialization vulnerable in APIs?

Deserialization becomes vulnerable when APIs accept serialized data from untrusted sources without proper validation. The core issue is that deserialization reconstructs objects from raw data, and if an attacker can manipulate this data, they can potentially instantiate malicious objects or trigger unexpected behavior. APIs are particularly at risk because they often process client-submitted data, and many frameworks provide convenient but unsafe deserialization mechanisms by default.

Q: How can I test my API for deserialization vulnerabilities?

Testing for deserialization vulnerabilities involves examining your API's input handling and attempting to submit crafted serialized payloads. middleBrick automates this process by scanning API endpoints for deserialization patterns and testing them with various payloads. You can also manually test by examining your API's documentation for endpoints that accept complex objects, then attempting to submit modified serialized data to see if it's properly validated. Look for error messages that reveal internal implementation details, as these can indicate vulnerable deserialization code.

Q: Are some programming languages more vulnerable to deserialization attacks?

Yes, languages with built-in serialization mechanisms like Java, PHP, and Python are generally more vulnerable because they make serialization convenient but often unsafe by default. Java's native serialization is particularly notorious for security issues. However, any language that deserializes untrusted data can be vulnerable. The key factor isn't the language itself but whether the application properly validates and sanitizes serialized data before deserialization. Even languages without built-in serialization can be vulnerable if they implement custom deserialization logic without proper security measures.

What is Insecure Deserialization?

Insecure deserialization is a vulnerability that occurs when an application deserializes untrusted data without proper validation. Serialization converts objects into a format that can be stored or transmitted, while deserialization reconstructs those objects from the serialized data. When attackers can manipulate the serialized data, they can potentially execute arbitrary code, bypass authentication, or cause denial of service.

The vulnerability is particularly dangerous in APIs because they often accept serialized objects from clients, assuming the data is trustworthy. If an API blindly deserializes data without validation, an attacker can craft malicious payloads that, when deserialized, execute harmful code on the server. This is especially prevalent in languages like Java, PHP, and Python that have built-in serialization mechanisms.

Common attack vectors include submitting crafted serialized objects in API parameters, headers, or request bodies. The attacker's goal is typically to trigger unexpected behavior during deserialization, such as instantiating unexpected classes, executing malicious code, or accessing sensitive data.

How Insecure Deserialization Affects APIs

In API contexts, insecure deserialization can lead to severe consequences. An attacker might exploit this vulnerability to bypass authentication mechanisms by crafting serialized objects that impersonate legitimate users. They could also execute arbitrary code on the server, potentially gaining full system access.

Consider a REST API that accepts serialized Java objects in request parameters. If the API doesn't validate the serialized data, an attacker could submit a malicious object that, when deserialized, executes system commands. This could lead to data theft, server compromise, or even pivoting to internal networks.

Another common scenario involves denial of service attacks. By submitting specially crafted serialized data, attackers can cause the deserialization process to consume excessive memory or CPU resources, effectively taking down the API service. This is particularly problematic for APIs that handle large volumes of requests.

APIs that use object serialization for caching or session management are also at risk. If an attacker can manipulate cached serialized objects, they might escalate privileges or access other users' data. This is especially concerning for APIs that don't properly isolate user sessions.

How to Detect Insecure Deserialization

Detecting insecure deserialization requires examining how your API handles serialized data. Look for endpoints that accept serialized objects, particularly in parameters, headers, or request bodies. Check if the API validates the source and integrity of serialized data before processing it.

middleBrick's black-box scanning approach tests for deserialization vulnerabilities by examining API endpoints for signs of unsafe deserialization practices. The scanner looks for endpoints that might accept serialized data and tests whether they properly validate and sanitize this input. It checks for common deserialization patterns and attempts to identify endpoints that could be vulnerable to crafted payloads.

The scanner also examines API responses for indicators of serialization libraries being used, which can help identify potential attack surfaces. For APIs that provide OpenAPI specifications, middleBrick cross-references the documented data structures with actual runtime behavior to identify discrepancies that might indicate deserialization issues.

Key indicators to watch for include endpoints that accept binary data formats (like Java serialization, PHP serialization, or Python pickle), lack of input validation on complex objects, and error messages that reveal internal implementation details about serialization libraries.

Prevention & Remediation

The most effective prevention strategy is to avoid deserializing untrusted data altogether. If your API must handle serialized data, implement strict validation and use safe deserialization libraries. Here's a concrete example in Java:

// Unsafe deserialization (vulnerable)
ObjectInputStream ois = new ObjectInputStream(inputStream);
Object obj = ois.readObject();

Instead, use a whitelist approach:

// Safe deserialization with validation
ObjectInputStream ois = new ObjectInputStream(inputStream);
ois.setObjectInputFilter(filter -> {
    if (!isAllowedClass(filter.getSerialData().getClass())) {
        throw new InvalidClassException(

 Real-World Impact
 Insecure deserialization has been responsible for numerous high-profile security incidents. The Apache Struts vulnerability (CVE-2017-5638) allowed remote code execution through malicious Content-Type headers. This vulnerability affected thousands of applications and was actively exploited in the wild.
Another notable example is the Java Commons Collections library vulnerability, where specially crafted serialized objects could execute arbitrary code during deserialization. This affected applications using vulnerable versions of the library for Java object serialization.
The financial impact of deserialization vulnerabilities can be severe. Beyond the immediate security breach, organizations often face compliance violations, data breach notification costs, and reputational damage. The OWASP API Security Top 10 lists insecure deserialization as a critical concern, emphasizing its prevalence and severity in modern API ecosystems.
Many successful attacks leverage insecure deserialization as an initial foothold, then use the compromised system to launch further attacks. This makes it particularly dangerous, as it can serve as a gateway to more extensive network compromise. Organizations should treat deserialization vulnerabilities as critical security issues requiring immediate attention.

  Scan for insecure deserialization View all security checks 
  Frequently Asked Questions
What makes deserialization vulnerable in APIs?
Deserialization becomes vulnerable when APIs accept serialized data from untrusted sources without proper validation. The core issue is that deserialization reconstructs objects from raw data, and if an attacker can manipulate this data, they can potentially instantiate malicious objects or trigger unexpected behavior. APIs are particularly at risk because they often process client-submitted data, and many frameworks provide convenient but unsafe deserialization mechanisms by default.
How can I test my API for deserialization vulnerabilities?
Testing for deserialization vulnerabilities involves examining your API's input handling and attempting to submit crafted serialized payloads. middleBrick automates this process by scanning API endpoints for deserialization patterns and testing them with various payloads. You can also manually test by examining your API's documentation for endpoints that accept complex objects, then attempting to submit modified serialized data to see if it's properly validated. Look for error messages that reveal internal implementation details, as these can indicate vulnerable deserialization code.
Are some programming languages more vulnerable to deserialization attacks?
Yes, languages with built-in serialization mechanisms like Java, PHP, and Python are generally more vulnerable because they make serialization convenient but often unsafe by default. Java's native serialization is particularly notorious for security issues. However, any language that deserializes untrusted data can be vulnerable. The key factor isn't the language itself but whether the application properly validates and sanitizes serialized data before deserialization. Even languages without built-in serialization can be vulnerable if they implement custom deserialization logic without proper security measures.