A penetration tester is tasked with exploiting a web application that uses an insecure deserialization vulnerability. Which type of attack should the tester primarily use to execute arbitrary code on the server?
Insecure deserialization allows an attacker to supply crafted objects that execute arbitrary code upon deserialization.
Why this answer
Insecure deserialization vulnerabilities occur when an application deserializes untrusted data without proper validation, allowing an attacker to manipulate serialized objects. By crafting a malicious object (e.g., a PHP gadget chain or a Java serialized object with a custom readObject() method), the tester can trigger arbitrary code execution on the server during the deserialization process. This directly aligns with option C, as the attack vector is the deserialization of a malicious object.
Exam trap
CompTIA often tests the misconception that insecure deserialization is a form of injection (like SQLi or XSS), but the key distinction is that the attack exploits the deserialization process itself, not input validation or user-triggered actions.
How to eliminate wrong answers
Option A is wrong because cross-site scripting (XSS) exploits client-side script injection in the browser, not server-side code execution via deserialization. Option B is wrong because SQL injection targets database queries through input fields, not the deserialization of serialized objects. Option D is wrong because cross-site request forgery (CSRF) forces a user to perform unintended actions on a web application, not execute arbitrary code on the server through deserialization.