This is one of the most complex yet powerful vulnerabilities (often rated 10.0 CVSS). It plagues Java, PHP, Python, and .NET. When an application blindly trusts a serialized object (blob of bytes) sent by a user, the deserialization process itself can trigger malicious code execution before the app even inspects the data.
How it works (The PHP Example)
PHP uses `unserialize()` to turn a string like `O:4:"User":2:{s:4:"name";s:3:"Bob";}` back into a User Object.
PHP classes have "Magic Methods" like `__destruct()` (runs when object is deleted) or `__wakeup()` (runs when object wakes up).
The Attack:
1. Attacker finds a Class in the code called `Logger` that has a `__destruct()` method which deletes a log file.
2. Attacker crafts a serialized string representing a `Logger` object, but changes the "Log File Path" property to `index.php`.
3. Server receives string -> `unserialize()` -> Creates Logger Object.
4. Script ends -> Logger Object destroyed -> `__destruct()` runs -> DELETES index.php.
1. Java Deserialization (Apache Commons)
In Java, this is even worse.
Tools like `ysoserial` can generate "Gadget Chains".
These are complex chains of innocent-looking classes (common libraries like Apache Commons Collections) that trigger a domino effect ending in `Runtime.exec("cmd.exe")`.
Jenkins, WebLogic, and JBoss have all been hacked this way.
2. Prevention
Never accept serialized objects from untrusted users.
Use JSON instead. JSON is data-only. It describes data fields but does not instantiate classes or trigger magic methods.
If you MUST use serialization, use cryptographic signatures (HMAC) to verify the data hasn't been tampered with.