Insecure Deserialization
Serialization is a process of taking an object[Instance of a class viz. “FIAT” is an instance of a class “CAR”] from the application code and converting it into a sequence/ stream of bytes or desired format where it can be used for other purposes such as sending it over the wire as part of network transmission or storing it on a disk/ database/ datastore etc.
Deserialization is the opposite – A process of converting serialized data [Stream of bytes] back into objects usable/ supported by the application code. Thus there are possibilities of tampering of the data objects while it is getting deserialized from an untrusted source at the other end which leads to serious consequences like a distributed denial of service (DDoS) or a remote code execution.
The attackers target many web applications which frequently serialize and deserialize data.