1
00:00:00,150 --> 00:00:08,010
Serialization is the process that involves transforming a collection of objects into a file, typically

2
00:00:08,010 --> 00:00:11,080
structured in XML or JSON format.

3
00:00:11,970 --> 00:00:20,370
Deserialization is the reverse process of rebuilding the collection of objects from the XML or JSON

4
00:00:20,370 --> 00:00:29,100
data file. The whole process can be used to make heterogeneous systems communicate with protocol such

5
00:00:29,100 --> 00:00:29,730
as Soap.

6
00:00:32,330 --> 00:00:37,430
We see in the graphics an example of serialization process.

7
00:00:39,210 --> 00:00:46,380
And in this graphic, the inverse process of deserialization without any tampering.

8
00:00:49,980 --> 00:00:58,920
The vulnerability arises if an attacker is able to tamper the XML or JSON structure and

9
00:00:58,920 --> 00:01:07,470
have it processed by the deserialization process. The tampering can consist of adding or removing entire

10
00:01:07,470 --> 00:01:13,830
new elements, adding or removing attributes or changing attributes values.

11
00:01:17,160 --> 00:01:24,480
Among the remedies to remedy this vulnerability, mention should be made of the use of a digital

12
00:01:24,480 --> 00:01:31,890
signature and the transmission of data by means of secure protocol such as https.

13
00:01:35,260 --> 00:01:43,480
It is also recommended to deserialize to rely on standard tested and validated components and

14
00:01:43,480 --> 00:01:49,930
libraries, and to do a type check when calling the method that deserializes.

15
00:01:53,080 --> 00:02:01,950
Other useful indications to counteract risk, include the use of a log and monitoring mechanisms,

16
00:02:01,960 --> 00:02:04,660
for deserialization.

17
00:02:07,920 --> 00:02:09,880
Thank you for your kind attention.

18
00:02:09,900 --> 00:02:10,570
Take care.