Deserialization Attacks

00 — Overview

Deserialization Attacks

When an application deserializes attacker-controlled data, it can execute arbitrary code before any validation runs. Python's pickle, PHP's unserialize, and Java's ObjectInputStream have ended careers.

Intermediate·45 min·5 tasks

// By the end of this module

→Recognise serialized data formats in cookies, request bodies, and API responses

→Craft a malicious Python pickle payload using the __reduce__ method

→Understand PHP magic methods (__wakeup, __destruct) and gadget chains

→Identify Java deserialization entry points and the risks of ObjectInputStream

→Replace unsafe deserialization with JSON and HMAC-signed serialized data

// Prerequisites

Complete these before starting this module for the best experience.

Foundation · Beginner

How the Web Works

45 min

→

Injection · Intermediate

Command Injection

40 min

→