Look-ahead Java deserialization

Look-ahead Java deserialization

How to secure deserialization from untrusted input without using            encryption or sealing

When Java™ serialization is used to exchange information            between a client and a server, attackers can try to replace the legitimate            serialized stream with malicious data. This article explains the nature of            this threat and describes a simple way to protect against it. Find out how to            stop the deserialization process as soon as an unexpected Java class is found            in the stream.