- Convert an object into a format that can be placed on a disk
- To be sent over a network
- Serialized data can be YAML, Binary, XML, JSON, etc.
- This is the opposite process of serialization
- In other words, you are taking the serialized data and deserializing it!
 (1) (6).png)
The nature of an insecure deserialization attack is when you take a malicious piece of code or a payload, serialize it, and introduce it to a web application.
Upon introduction, the web application will theoretically begin the deserialization process and in return, execute the malicious code.
- Web apps use deserialization and deserialization very often
- These are very hard to find
{% embed url="https://github.com/frohoff/ysoserial" %}