# Insecure Deserialization > Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object. Today, the most popular data format for serializing data is JSON. Before that, it was XML. > > However, many programming languages offer a native capability for serializing objects. These native formats usually offer more features than JSON or XML, including customizability of the serialization process. Unfortunately, the features of these native deserialization mechanisms can be repurposed for malicious effect when operating on untrusted data. Attacks against deserializers have been found to allow denial-of-service, access control, and remote code execution attacks. ## Challenges covered in this chapter | Challenge | Difficulty | | -------------------------------------------------------------------------------------------------- | ---------- | | Perform a Remote Code Execution that would keep a less hardened application busy forever. | ⭐⭐⭐⭐⭐ | | Perform a Remote Code Execution that occupies the server for a while without using infinite loops. | ⭐⭐⭐⭐⭐⭐ | ### Perform a Remote Code Execution that would keep a less hardened application busy forever > Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation, for example: > > * allowed characters (standard regular expressions classes or custom) > * data format > * amount of expected data > > Code Injection differs from Command Injection in that an attacker is only limited by the functionality of the injected language itself. If an attacker is able to inject PHP code into an application and have it executed, he is only limited by what PHP is capable of. Command injection consists of leveraging existing code to execute commands, usually within the context of a shell. > > The ability to trigger arbitrary code execution from one machine on another (especially via a wide-area network such as the Internet) is often referred to as remote code execution. #### Hints * The feature you need to exploit for this challenge is not directly advertised anywhere. * As the Juice Shop is written in pure Javascript, there is one data format that is most probably used for serialization. * You should try make the server busy for all eternity. * The challenge will be solved if you manage to trigger the protection of the application against such DoS attacks. * Similar to the [Let the server sleep for some time](/readme/part-ii/part-ii-challenge-hunting/injection.md#let-the-server-sleep-for-some-time) challenge (which accepted nothing but NoSQL Injection as a solution) this challenge will only accept proper RCE as a solution. It cannot be solved by simply hammering the server with requests. *That* would probably just *kill* your server instance. ### Perform a Remote Code Execution that occupies the server for a while without using infinite loops 🔧 **TODO** #### Hints 🔧 **TODO** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pwning-wargames.gitbook.io/readme/part-ii/part-ii-challenge-hunting/insecure-deserialization.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.