Description

Object and data structure related attacks where the attacker modifies application logic or achieves arbitrary remote code execution if there are classes available to the application that can change behavior during or after deserialization.
Typical data tampering attacks such as access-control-related attacks where existing data structures are used but the content is changed.
Serialization may be used in applications for:
Remote- and inter-process communication (RPC/IPC)
Wire protocols, web services, message brokers
Caching/Persistence
Databases, cache servers, file systems
HTTP cookies, HTML form parameters, API authentication tokens
Object and data structure related attacks where the attacker modifies application logic or achieves arbitrary remote code execution if there are classes available to the application that can change behavior during or after deserialization.
Typical data tampering attacks such as access-control-related attacks where existing data structures are used but the content is changed. Serialization may be used in applications for:
Remote- and inter-process communication (RPC/IPC)
Wire protocols, web services, message brokers
Caching/PersistenceDatabases, cache servers, file systems
HTTP cookies, HTML form parameters, API authentication tokens