Serialization is the process of converting an object into a smaller byte size to either transmit or store the object in a file, database, or even memory. This process allows the object to maintain its state in order to be assembled/recreated when needed. However, the opposite of serialization is called deserialization. This is the process of recreating an object from the stream of data (bytes) into its original form.

Insecure deserialization happens when untrusted data is used to abuse the logic of an application, create a denial-of-service attack, or execute malicious code on the web application/page/server. In an insecure deserialization attack, the attacker can execute remote code on the target web server.

Most of the time, system administrators and IT professionals don't take these vulnerabilities seriously until a cyberattack is at their front door. As penetration testers, it's our job to efficiently discover all the existing and hidden security vulnerabilities in a target organization and inform the company to help secure their assets.

In the following section, we will outline some common misconfigurations on web servers.