Back to Glossary

Glossary Term

Insecure Deserialization

Trusting serialized data without validation lets attackers craft objects that hijack application logic.

1 min read

Share this definition

Post it to your feed or send it to teammates.

Insecure Deserialization

1-minute read

What it is

Insecure Deserialization happens when an application trusts data it receives without checking it properly.

Why it matters

Attackers can change that data to control how the application behaves or gain unauthorised access.

How to reduce risk

Avoid trusting user-provided data
Validate data before processing it
Limit what actions data can trigger

External resources

https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization
https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html