What are serialization and deserialization? | What is insecure deserialization?
What is serialization?
Serialization is the process of converting the state of an object into byte streams to save into the file.
Why do we need Serialization?
Let’s take an example of a computer game, when we start the game we get the option to resume it. Now think about, how it’s possible that the game starts from where we last left. When we play the game we see the graphics only, but in the computer memory, it’s a code running (x-axis 200, y-axis 300). When we stop the game, all the required data from the memory convert into byte streams and save that byte-stream into a file that’s called Serialization. When we re-start the game, the byte-stream file is again read by the application, and all the data deserialize again and load all serialized data back into the memory. That’s the reason the game resumed from the last we stop.
This is one use case of sterilization and like that there are lots of test cases depending on the application like it can be used for communication from one machine to another, it can be used for transferring information because serialized data are machine-independent.
Serialized data can be stored in files, databases, and memory.
What is deserialization?
Deserialization is the reverse process of serialization. It’s the process of reconstructing the object from the serialized state.