Object Injection

Object Injection is a type of vulnerability that occurs in programming languages that feature object serialization and deserialization. It is most commonly associated with web applications and is a serious security risk that can lead to various attacks, including Knowledge Base/Remote Code Execution|code execution, SQL injection, Directory Traversal|path traversal, and denial of service.

1. Serialization and Deserialization:
   • Serialization is the process of converting an object into a format that can be stored or transmitted, often as a string.
   • Deserialization is the reverse process – converting the serialized data back into an object.

Object injection vulnerabilities arise when an application deserializes data from an untrusted source without adequately sanitizing or validating it. An attacker can exploit this by injecting malicious serialized objects.

Object Injection vulnerabilities are more common in languages that provide built-in capabilities for object serialization and deserialization, such as PHP, Java, and Dotnet|.NET.