Java

Three Types of Deserialization

Photo by ANOOF C on Unsplash

Serialization and deserialization are processes used in computer science and software development to convert complex data structures or objects into a format that can be easily stored, transmitted, or reconstructed later. These processes are particularly important when data needs to be passed between different parts of a program or across a network. Here’s an explanation of serialization and deserialization:

Serialization

Serialization is the process of converting a data structure or object in memory into a linear format that can be easily stored in a file or transmitted over a network. This linear format is typically a sequence of bytes or a text-based representation like JSON or XML. Serialization allows you to save an object’s state so it can be reconstructed later. The primary purposes of serialization include:

1. Data Persistence: Saving an object’s state to a file or a database so that it can be retrieved and used at a later time.

2. Data Transmission: Sending an object across a network to another application or system.

3. Cross-Language Communication: Facilitating communication between programs written in different programming languages.

Common use cases for serialization include saving user preferences in an application, storing game progress, and transmitting data between a client and server in web applications.

Deserialization

Deserialization is the reverse process of serialization. It involves taking the serialized data (e.g., a byte stream or JSON string) and reconstructing the original data structure or object in memory. In essence, deserialization is the process of turning data back into a usable form. The main purposes of deserialization are:

1. Data Retrieval: Loading data that was previously serialized, allowing it to be used within an application.

2. Data Processing: Processing data received over a network or from external storage and converting it into an internal data structure that an application can work with.

3. Cross-Language Communication: Converting data received from other systems or languages into a format that can be used by the local application.

July 22, 2025 by Software 0

Insecure Deserialization

Photo by Kenny Eliason on Unsplash

Applications handle complex data structures. Serialization converts the structures into an object that can be stored and transmitted easily. For example, think about different actions that go into making a peanut butter and jelly sandwich:

  1. Get plate
  2. Get bread
  3. Open bread
  4. Take out bread 1
  5. Put bread 1 on plate
  6. Take out bread 2
  7. Put bread 2 on plate
  8. Get knife
  9. Get peanut butter
  10. Open peanut butter
  11. Get jelly
  12. Open jelly
  13. Get peanut butter on knife
  14. Put peanut butter on bread 1
  15. Get jelly on knife
  16. Put jelly on bread 2
  17. Smoosh bread 1 and bread 2 together with covered sides facing

You need all of these things to happen as part of making the sandwich, but they aren’t necessarily step-by-step in this order. Having to send all 17 of these data points, like individual messages, every time someone asks for a peanut butter and jelly sandwich can be time-consuming to write down and send. Most likely, you’d group them in a document as “Peanut Butter and Jelly Sandwich” that you send when someone asks, similar to serialization. When the person opens the document, they can see each individual data point, similar to deserialization.

Deserialization is the process of reconstructing the original, expanded data structure. With a deserialization vulnerability, malicious actors can change the application logic or execute code remotely, one of the most serious attack types.

May 16, 2022 by Application Security 0

Recent Comments

No comments to show.