# Unsafe Deserialization and Object Injection One-sentence definition: Exploitation of deserializers to execute code, manipulate logic, or escalate privileges. ## Key Facts - Avoid deserializing untrusted data; use safe formats (JSON) with strict schemas. - Disable polymorphic types/gadgets; whitelist classes/fields. - Sign and verify serialized objects; enforce integrity. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Identify gadget chains and unsafe libraries as root cause. **Mnemonic:** “**Don’t trust objects**.” ## Mini Scenario Q: App deserializes user cookie into object—risk? A: Code execution or logic abuse; switch to signed/strict tokens. ## Revision Checklist - Safe format choice. - Integrity check. - Class whitelist. ## Related [[Input Validation and Output Encoding]] · [[Secure Database Access and SQL Injection Prevention]] · [[File Upload Security and Path Traversal]] · [[Security Testing Strategy (Unit Integration E2E Fuzz)]] · [[Domain 8 - Index]]