What are serialization and deserialization?

Serialization is a process during which a data object is converted into a serial format – one that may be, for example, stored on disk, transmitted using a stream, etc. Deserialization is the opposite process: taking serial data and converting it back into a structured data object. Read more about serialization and deserialization .

How can deserialization be insecure?

If the function that is responsible for converting serial data into a structured object assumes that the data is trusted, an attacker may format the serial data in such a way that the result of deserialization is malicious. Unfortunately, many standard deserialization functions in programming languages assume that the data is safe. Watch a Security Weekly episode about insecure deserialization .

What can be the result of insecure deserialization?

Insecure deserialization may have very serious consequences. If the attacker is able to provide malicious serial data and have the application deserialize it unsafely, they may be able to conduct denial-of-service (DoS) attacks, bypass authentication, or even perform remote code execution attacks. See examples of insecure deserialization in JavaScript .

How to avoid insecure deserialization?

The most important rule of web security is: never trust user input. This rule also applies to insecure deserialization vulnerabilities. To avoid them, you should assume that an attacker may provide malicious user input. Therefore, you must make sure that the programming language that you use and the deserialization function that you use is safe. Most languages provide safe deserialization libraries. Read about general secure coding principles .

Web Security Blog | Page 52 of 139

What is Insecure Deserialization?

Web Security Zone | December 7, 2017 by Acunetix

Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialized. It also occupies the #8 spot in the OWASP Top…

Off to the Foodbank we go!

Events | December 6, 2017 by Tamara Naudi

This year Acunetix has teamed up with local charity The Foodbank at St.Andrew’s that helps individuals and families in short term crisis, through the provision of emergency food supplies. Acunetix staff collected non-perishable food items and baby products, to be delivered to the Foodbank. All staff…

Online Security: Application Security Testing – Part 2

Web Security Zone | December 4, 2017 by Matt Conran

Part 1 in this series looked at Online Security and the flawed protocols it lays upon. Online Security is complex and its underlying fabric was built without security in mind. Here we shall be exploring aspects of Application Security Testing. We live in a world…

OWASP Top 10 2017 Update – What You Need to Know

Web Security Zone | November 27, 2017 by Acunetix

After the long-winding road of discussion and deliberation, revision, disagreements and adjustments, the Open Web Application Security Project (OWASP) are updating their venerable Top 10 list of the most critical web application security risks since 2013. This update brings with it three new entries to…

Online Security: The Underlying Infrastructure – Part 1

Web Security Zone | November 20, 2017 by Matt Conran

Technology Revolutionized A plethora of valuable solutions now run on web-based applications. One could argue that web applications are the forefront of the world. More importantly, we must equip them with appropriate online security tools to barricade against the rising web vulnerabilities. With the right…

New build adds detection for CMS Made Simple vulnerabilities and many other updates

Product Releases | November 9, 2017 by Nicholas Sciberras

Acunetix v11 (build 11.0.173131028) has been released. This new build introduces new vulnerability checks for CMS Made Simple, adds support for Selenium scripts as import files, and includes a good list of updates and bug fixes. Below is a full list of updates. New Features…

Acunetix sponsors the 3rd Cyprus Penetration Testing Competition at UCLan Cyprus

Events | October 30, 2017 by Tamara Naudi

Acunetix were the proud sponsors of the 3rd Cyprus Penetration Testing Competition that took place on Sunday, October 8th at UCLan Cyprus. The event was organized by UCLan Cyprus and the University of Cyprus, under the auspices of the office of the Commissioner of Electronic Communications…

it-sa 2017 Highlights

Events | October 25, 2017 by Tamara Naudi

Acunetix recently participated at it-sa 2017 in Nuremberg, Germany in partnership with VOQUZ, the Acunetix Expert Partners for Germany. While talking to visitors, VOQUZ, noted that IT compliance and data security were at the forefront of visitors’ minds, making Acunetix a fitting solution.

Cross-site Flashing (XSF) WordPress Vulnerability, Unpatched and Exploitable

Web Security Zone | October 24, 2017 by Ian Muscat

WordPress, the content management system powering north of 28% of websites on the Internet, is certainly no stranger to providing timely security patches to its hundreds of millions of users when security researchers report them. This time however, things took a slightly different turn —…

Acunetix Web Security Blog