# Data Deserialization

## What is data serialization?

Data serialization is the process to take some python object and transform into structured data that can be consumed by different backend technologies.

Deserialization is the opposite way of serialization, is the process of taking data structured and transform into an object to be shared through different phases of the code.

Is commonly used by backend services to transport and manage data through different classes, libraries,  update information about the object attributes and finally transform into structured data to be sent into a database, storage service or represented in a REST API.

Some of the most common data structure formats used are:

* json
* yaml
* xml
* pickle
* csv

## Vulnerabilities

If the data format and the development methods used are able to evaluate python code from the data, an attacker may be able to inject it's python object and execute it in the backend service. Possibly allowing remote shells or information disclosure.

{% content-ref url="data-deserialization/pickle" %}
[pickle](https://blog.egonzalez.org/hacking/index/python-vulnerabilities/data-deserialization/pickle)
{% endcontent-ref %}

{% content-ref url="data-deserialization/yaml" %}
[yaml](https://blog.egonzalez.org/hacking/index/python-vulnerabilities/data-deserialization/yaml)
{% endcontent-ref %}

{% content-ref url="data-deserialization/xml" %}
[xml](https://blog.egonzalez.org/hacking/index/python-vulnerabilities/data-deserialization/xml)
{% endcontent-ref %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.egonzalez.org/hacking/index/python-vulnerabilities/data-deserialization.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.