I'm trying to understand a deserialisation attack, so I have thought of this example, if you could correct me if I have misunderstood something, that would be helpful.
I have this fiction class.
public class Player{
String name;
int attackStrength;
public Player(String name){
this.name = name;
this.attackStrength = Random.nextInt(10);
}
}
If I serialised this class It would provide me with a byte array that represented the object instance and its internal values (name, attackStrength).
This fiction class randomly creates an attack strength with a max value of 10.
If I edited the byte array and read back in. I could modify the bytes that represent attackStrength to 50! and then DeSerialise the array and I now have a hacked character.
Is this the idea behind this form of attack.
Assuming that Player implemented java.io.Serializable, then deserialisation would bypass the constructor providing it is in an environment where an adversary can supply raw data. This is dealt with in Guideline 8-3 of Secure Coding Guidelines for the Java Programming Language, Version 4.0.