PHP Insecure Deserialization: A Critical Vulnerability Explained with Examples

PHP Insecure Deserialization

A Critical Vulnerability Explained with Examples

PHP, a widely used server-side scripting language, offers a range of powerful features that make it a favorite among developers. However, like any programming language, PHP has its vulnerabilities, and one of the most critical ones is insecure deserialization. In this article, we’ll delve into the concept of insecure deserialization, and its potential risks and provide an example of vulnerable PHP code.

Table of Contents

Understanding Insecure Deserialization

Serialization is the process of converting complex data structures, such as arrays or objects, into a format that can be easily stored, transmitted, or reconstructed. In PHP, serialization is primarily achieved using the serialize() function, which converts data into a string representation. Conversely, the unserialize() function recreates the original data from the serialized string.

Insecure deserialization occurs when user-supplied serialized data is not validated correctly or sanitized before being passed to the unserialize() function. This can lead to several exploitable scenarios where attackers can manipulate the serialized data to execute malicious code, compromise the application, or gain unauthorized access.

Example of Vulnerable PHP Code

Consider the following PHP code snippet that demonstrates a classic insecure deserialization vulnerability:

Web App Critical Vulnerability
Figure 1: Vulnerable Code

In the above code, a simple User class represents user data with two properties: username and isAdmin. The application receives user data from a cookie named ‘user_data,’ which contains serialized data representing a User object. However, the application does not validate or sanitize this data before using unserialize().

Exploiting the Vulnerability

An attacker can exploit this insecure deserialization vulnerability by modifying the serialized data to execute arbitrary code. For instance, consider the following malicious serialized data:

Web app Security
Figure 2: malicious serialized data

Here, the attacker has set the isAdmin property to true, effectively granting themselves administrative privileges. When the application deserializes this data and checks for an instance of the User class, it will perceive the attacker as an admin and grant them access to sensitive functionalities.

Mitigation Techniques

To protect your PHP applications from insecure deserialization attacks, consider the following best practices:

  • Avoid using unserialize() with untrusted data: Only use unserialize() with trusted data or from reliable sources.
  • Implement whitelisting: Validate and sanitize the serialized data using a whitelist of allowed classes and properties before deserialization.
  • Use secure serialization alternatives: Instead of PHP’s native serialization, consider using more secure serialization formats like JSON or XML, which have built-in safety features.
  • Regularly update PHP: Keep your PHP version up to date to ensure you benefit from security patches and improvements.


Insecure deserialization is a critical vulnerability that can lead to unauthorized access and code execution in PHP applications. By understanding the risks and implementing proper validation and whitelisting, developers can safeguard their applications against such attacks. Always follow secure coding practices and stay informed about the latest security developments to ensure the robustness of your PHP applications.

Picture of Anthony Cole, Sr. Penetration Tester at Redbot Security

Anthony Cole, Sr. Penetration Tester at Redbot Security

Anthony Cole is a Sr. Security Consultant with over 22 years of experience in information technology, IT security and software development. Anthony is fully GIAC certified in all facets of information security, enabling him to facilitate successful outcomes for customers. Anthony’s vast knowledge of both offensive and defensive security ensures that Redbot Security’s customers will receive the best service in the industry.

Anthony is Redbot Security’s AppSec SME and formerly a Sr. Level Application Penetration Testing Engineer for NetSpi and Presidio as well as Blutique LLC’s Chief Technical Officer and Sr. Application Developer.

Pen-Test Project Quote

Penetration Testing Service Provider

Our expert team will help scope your project and provide a fast and accurate project estimate.

Contact Redbot Security

Related Articles

Common Attacks

Microsoft Windows Laptop Security

Malicious actors prey on weak configurations like locusts. Microsoft, despite knowing that their operating systems, have inherent weaknesses have done little to enhance their initial security outside of remediation for publicly known vulnerabilities.

Read More »
Pen Testing Industrial Control Systems

ICS/SCADA Penetration Testing: Where to Start

Becoming proficient in Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) network testing can appear daunting as there are fewer learning resources.

Read More »
Network Pen Testing Companies

Attack Surface Management (ASM)

Today, cybercriminals have plenty of entry points to exploit. Therefore, it has become crucial for organizations to improve their attack surface visibility to have more effective protection. This is where attack surface management (ASM) comes into play. This article will explore all about attack surface management (ASM), including its importance, working principle, and benefits.

Read More »
How to prevent active directory attack

AS-REP Roasting

Kerberos Authentication Service Response (AS-REP) Roasting, a technique similar to Kerberoasting, has gained prominence as a method for attackers to compromise Active Directory (AD) authentication systems.

Read More »
Ransomware Nightmare

Android Malware

The likelihood of a cyber attack on a mobile platform is significantly high, but how difficult is it for a malicious actor to generate malware? You might be surprised.

Read More »

Additional Articles
that you may find helpful

Security Management Platform

Cymbiotic is a revolutionary, scalable platform providing unparalleled security management: on-demand testing, secure reporting, and remediation tracking, while also acting as an advanced attack surface management platform ... for every network.

Cyber threat news feed

Check out the latest cybersecurity news around the globe

Pen-Test Project Quote

Penetration Testing Service Provider

Our expert team will help scope your project and provide a fast and accurate project estimate.

Contact Redbot Security
Show Buttons
Hide Buttons