Photo by Kenny Eliason on Unsplash
Applications handle complex data structures. Serialization converts the structures into an object that can be stored and transmitted easily. For example, think about different actions that go into making a peanut butter and jelly sandwich:
- Get plate
- Get bread
- Open bread
- Take out bread 1
- Put bread 1 on plate
- Take out bread 2
- Put bread 2 on plate
- Get knife
- Get peanut butter
- Open peanut butter
- Get jelly
- Open jelly
- Get peanut butter on knife
- Put peanut butter on bread 1
- Get jelly on knife
- Put jelly on bread 2
- Smoosh bread 1 and bread 2 together with covered sides facing
You need all of these things to happen as part of making the sandwich, but they aren’t necessarily step-by-step in this order. Having to send all 17 of these data points, like individual messages, every time someone asks for a peanut butter and jelly sandwich can be time-consuming to write down and send. Most likely, you’d group them in a document as “Peanut Butter and Jelly Sandwich” that you send when someone asks, similar to serialization. When the person opens the document, they can see each individual data point, similar to deserialization.
Deserialization is the process of reconstructing the original, expanded data structure. With a deserialization vulnerability, malicious actors can change the application logic or execute code remotely, one of the most serious attack types.
