First, what is "serialization"?

Serialization = converting an object into a format that can be:

• > Stored
• > Sent over a network
• > Saved in cookies or sessions

Python → pickle

Java → Serializable

PHP → serialize()

.NET → BinaryFormatter
Example of Serialization data

Python (pickle) – Binary → Base64 (very common)

Original object 

{"username": "alex", "role": "user"}

Serialized (pickle → Base64)

gASVJAAAAAAAAAB9lCiMBHVzZXKUjAVhZG1pbpSMBHJvbGWUjAR1c2VylHUu

This is stored in the cookies, and the reverse process is called deserialization.

How does insecure deserialization occur?

Serialization data
{"username": "alex", "role": "user"}

Modified Serialization data by attacker which is now insecure
{"username": "alex", "role": "admin"}

insecure deserialization data
gASVJwAAAAAAAAB9lCiMBHVzZXKUjANyYWqUjARyb2xllIwEdXNlcpR1Lg==

Which leads to privilage esclation from normaluser -> admin

So this is the actual flow. You can learn more about insecure deserialization here

Now lets see with a scenario

Register and capture the request in Burp

So we can see the application is using python and there is a high chance the application is using pickle

What is pickle?

pickle is a built-in Python module used for serialization and deserialization of Python objects, it mainly used for to save Python objects to disk

I have written a Python script that will detect pickle deserialization. You just need to update the cookie value in that script. check here

We had confirmed that the application is using pickle from this script. You can check this tool as well, it supports JAVA and PHP objects to detect

Let's decode the cookie value

We can see the serialization data

username: raj role: admin

Now we had manipulated it, and it became insecure deserialization data

Inject the tamper cookie.

As the application was running in Windows, I thought of writing a Python script that would run our Windows commands to confirm RCE. Check the script here

This script will store all the commands' output in the rce-output.txt file

Shell commands executed successfully and stored in a txt file.

If this article helped you learn something new, you can support my work here , it motivates me to create more helpful content for readers like you and for the community

Mitigations

Never deserialize untrusted data (cookies, headers, request bodies).

Perform deserialization in a sandboxed, low-privilege context.

Never deserialize user-controlled data — use JSON and enforce strict validation.

If you haven't checked yet, take a look at how I automated OWASP Mobile security testing with this single Frida script.

Follow me on Medium and connect with me over on LinkedIn.