Serialization is the process of transforming a data structure or object into a format that can be transmitted, in our case, within an HTTP request or response. Deserialization is the opposite process.
When an object is serialized, let's say, to a JSON string, and sent from a server to a client or vice versa, an attacker can see and understand the contents of the object and change them so that when the other end receives the serialized object and deserializes it to put it back into an object format, it interprets the changed content as executable code and executes it. This is the most common scenario of a deserialization attack.
In this recipe, we will see the measures that developers should take in order to make their applications more secure when implementing a serialization/deserialization mechanism.
...
