Deserialization Basics

Introduction

 
This article is going to focus on the Deserialization basics. To build a better understanding of the concepts of deserialization, we will need to briefly look at serialization. We are also going to show serialization and deserialization examples using a C# console application.
 

Serialization

 
In most business applications, there is always a need to serialize some data or objects for communication purposes. Serialization involves the translation of data structures such as lists, arrays, or objects into a format that can be easily used for storing or sending data via a network. Common types of serialization are JSON, XML, and binary formats. Using these formats object data is kept in specific file formats that enable easy data communication.
 
Serialization example using JSON
 
The following example is a simplified example of using serialization in a C# console application.
 
So what you need to do first is to download the Nuget JSON package in your application by using the Nuget Package Manager. After it has been installed, you now need to include the Namespaces which are required to use JSON.
  1. using Newtonsoft.Json;  
  2. using Newtonsoft.Json.linq;  
  3. public void Serialize_json(object my_obj, string fil_Path) {  
  4.     JsonSerializer = jsSerializer = new JsonSerializer();  
  5.     if (File.Exists(fil_Path)) File.Delete(fil_Path);  
  6.     StreamWriter my_strW = new StreamWriter(fil_Path);  
  7.     JsonWriter jsWriter = new JsonTextWriter(my_strW);  
  8.     JsonSerializer.Serialize(jsWriter, my_obj);  
  9.     jsWriter.Close();  
  10.     my_strW.Close();  
  11. }  
The code above is simply a class that will be used to serialize any data called on implementation, as shown later in this article.
 

Deserialization

 
Deserialization is in fact the opposite of Serialization; it’s concerned with decomposing the serialized data back to its object state.
 
Most programming languages provide a native way to serialize and deserialize data using common formats like JSON and XML. In as much as this is convenient and seems like an advantage, it is very important to also understand how to safely use deserialization.
 

Insecure Deserialization

 
Deserialization may be used by attackers to compromise applications. Deserialization may be used by attackers to perpetrate malicious practices such as access control, denial-of-service, and remote code execution.
 
The biggest deserialization vulnerability is when applications deserialize data from untrusted sources. This could lead to various attacks as mentioned earlier. Because of these known threats, some developers make use of custom serialization and deserialization standards which enable them to verify trusted sources and make use of custom classes to protect object data.
 
Deserialization in JSON format
 
The following example shows how to deserialize an object using a C# console application:
  1. public object deserialize_Json(Type dtype, string fil_Path) {  
  2.     JObject my_obj = null;  
  3.     JsonSerializer jsSerializer = new JsonSerializer();  
  4.     if (File.Exists(fil_Path)) {  
  5.         StreamReader my_strR = new StreamReader(fil_Path);  
  6.         JsonReader jsReader = new JsonTextReader(my_strR);  
  7.         my_obj = JsonSerializer.Deserialize(jsReader as JObject)  
  8.         jsReader.Close();  
  9.         my_strR.Close();  
  10.     }  
  11.     return my_obj.ToObject(dtype);  
  12. }  
The above method can be used when called to deserialize any given JSON file and convert it to its original data type.
 
The following example shows the result where the serialization and deserialization methods (shown above) can be viewed in a console application.
  1. static void Main(string[] args) {  
  2.     Student student = new Student() {  
  3.         StudentID = "001", SName = "Smith"  
  4.     };  
  5.     string fil_Path = "myStudent.save";  
  6.     DataSerializer infoSerializer = new DataSerializer();  
  7.     Student myStudent = null;  
  8.     infoSerializer.Serialize_json(Student, fil_Path);  
  9.     myStudent = infoSerializer.deserialize_Json(typeof(Student), fil_Path as Student);  
  10.     Console.Writeline(myStudent.StudentID);  
  11.     Console.Writeline(myStudent.SName)  
  12. }  
The above code will display the Student information on the console screen in an object format. The above examples are a simple way of showing how serialization and deserialization can be implemented in a C# application however there are a lot of security concerns that are involved which may require the application to check for the source of the data, etc.
 

Conclusion

 
Secure deserialization is a necessity, especially in terms of web applications where data can be transferred across different networks. This could lead to the unintended execution of malicious scripts and code which could end up harming the web application as a whole.