Using Python’s pickling to explain Insecure Deserialization

Before I go on rambling about what insecure deserialization is, I will explain what serialization and deserialization is.

Serialization is the process of converting an object into a stream of bytes to store the object to memory, a database, or a file. Do not confuse object with variable. Think of it like this — variable can store only one data type at a time whereas an object can store multiple. Serialization goes by different names in different languages, it is serialization for java, pickling for python and marshalling for Perl…