How does serialization work in java

Even though you might have getters and setters, these functions are not used when serializing an object in Java. When deserializing a byte stream back to an object it does not use the constructor. It creates an empty object and uses reflection to write the data to the fields. Just like with serialization, private and final fields are also included.

A Java deserialize vulnerability is a security vulnerability that occurs when a malicious user tries to insert a modified serialized object into the system that eventually compromises the system or its data. Think of arbitrary code execution that can be triggered when deserializing a serialized object. To better explain Java deserialize vulnerabilities, we first need to explore how deserialization works in Java.

A serialized object in Java is a byte array with information of the state. It contains the name of the object it refers to and the data of the field. If you look at a stored serialized object with a hex-editor, you can enclose and manipulate the information quickly.

We already know that Java deserialization does not use the constructor to create an object but rather uses reflection to load the fields. This means that any validation checks done in the constructor are never called when recreating the object. You can think about checks like start-date before end-date when describing a period.

When deserializing a Java object, this new object can have an invalid state. When reading the file ValueObject. Now I can easily manipulate the string value. Below I change it from Hi to Hallo. So, if an application accepts serialized objects, it is relatively easy to temper with the values.

Tampering with the data in an object is harmful already. However, this can also lead to code execution if the correct set of objects is deserialized. To explain this I first have to explain gadgets and chains. This existing executable code can be reused for malicious purposes. If we look at Java serializable objects, some magic methods—like the private readObject method—are reflectively called when deserializing.

This gadget class overrides the default readObject method. This variable will be initialized with default value during deserialization. In case of static Variables:- A variable defined with static keyword is not serialized during serialization process.

This variable will be loaded with current value defined in the class during deserialization. This article is contributed by Mehak Narang and Shubham Juneja. If you like GeeksforGeeks and would like to contribute, you can also write an article using write.

See your article appearing on the GeeksforGeeks main page and help other Geeks. Please write comments if you find anything incorrect, or you want to share more information about the topic discussed above.

Skip to content. Change Language. Related Articles. Table of Contents. Save Article. Improve Article. Like Article. String name;. Previous Lambda Expressions in Java 8.

Next Garbage Collection in Java. And if I have to call them manually via code then why compiler should be let known that Serializable interface is implemented? Yes, Serializable interface don't have any methods to implement. If you want serialize object, your object must implement Serializable interface. Also read this guide about serialization. Stack Overflow for Teams — Collaborate and share knowledge with a private group.

Create a free Team What is Teams? Collectives on Stack Overflow. Learn more. How java serialization works internally? Asked 8 years, 5 months ago. Active 8 years, 5 months ago. Viewed 17k times.