Insecure deserialization often leads to remote code execution vulnerabilities.
Even if deserialization vulnerabilities do not result in remote code execution, they can be used to perform replay attacks, injection attacks, and privilege escalation.
| OWASP Top 10 Application Security Risks - 2017 | Reference |
|---|---|
| A8:2017-Insecure Deserialization | OWASP |
Most of the time, serialization is used as a quick and easy way to save, reload, or transmit data structures that can be represented in a simpler and less dangerous way.
The secret to application security is having defined interfaces for handling data, and deserialization does not fit this practice.Francesco Ongaro
