> ## Documentation Index
> Fetch the complete documentation index at: https://rootea.es/llms.txt
> Use this file to discover all available pages before exploring further.

# Insecure Deserialization

> Cross-platform resources for Insecure Deserialization: curated HTB machines, PortSwigger labs and TryHackMe rooms with validated writeups and related skills.

# Insecure Deserialization

This page aggregates **cross-platform resources to practice Insecure Deserialization**: retired Hack The Box machines, PortSwigger Web Security Academy labs and TryHackMe rooms, plus curated resources (HackTricks, PortSwigger, etc.) and related skills.

## Curated resources

| Source      | Link                                                                                                         |
| ----------- | ------------------------------------------------------------------------------------------------------------ |
| PortSwigger | [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization) |

## HTB machines practicing Insecure Deserialization (10)

| Machine                                               | OS      | Difficulty                                           |
| ----------------------------------------------------- | ------- | ---------------------------------------------------- |
| [Celestial](/en/htb/machines/linux/medio/celestial)   | Linux   | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [Feline](/en/htb/machines/linux/dificil/feline)       | Linux   | <span className="dbadge dbadge-hard">HARD</span>     |
| [Jewel](/en/htb/machines/linux/medio/jewel)           | Linux   | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [Json](/en/htb/machines/windows/medio/json)           | Windows | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [Laboratory](/en/htb/machines/linux/facil/laboratory) | Linux   | <span className="dbadge dbadge-easy">EASY</span>     |
| [Monitors](/en/htb/machines/linux/dificil/monitors)   | Linux   | <span className="dbadge dbadge-hard">HARD</span>     |
| [NodeBlog](/en/htb/machines/linux/facil/nodeblog)     | Linux   | <span className="dbadge dbadge-easy">EASY</span>     |
| [Scrambled](/en/htb/machines/windows/medio/scrambled) | Windows | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [Tenet](/en/htb/machines/linux/medio/tenet)           | Linux   | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [Travel](/en/htb/machines/linux/dificil/travel)       | Linux   | <span className="dbadge dbadge-hard">HARD</span>     |

## PortSwigger labs practicing Insecure Deserialization (10)

| Lab                                                                                                                                                                                                        | Difficulty                                                 | Topic                    | Official                                                                                                                                                        |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Developing a custom gadget chain for Java deserialization](/en/portswigger/labs/deserialization/exploiting-deserialization-developing-a-custom-gadget-chain-for-java-deserialization)                     | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Insecure Deserialization | [Open](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-developing-a-custom-gadget-chain-for-java-deserialization)           |
| [Developing a custom gadget chain for PHP deserialization](/en/portswigger/labs/deserialization/exploiting-deserialization-developing-a-custom-gadget-chain-for-php-deserialization)                       | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Insecure Deserialization | [Open](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-developing-a-custom-gadget-chain-for-php-deserialization)            |
| [Modifying serialized objects](/en/portswigger/labs/deserialization/exploiting-deserialization-modifying-serialized-objects)                                                                               | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Insecure Deserialization | [Open](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-objects)                                        |
| [Using PHAR deserialization to deploy a custom gadget chain](/en/portswigger/labs/deserialization/exploiting-deserialization-using-phar-deserialization-to-deploy-a-custom-gadget-chain)                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Insecure Deserialization | [Open](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-using-phar-deserialization-to-deploy-a-custom-gadget-chain)          |
| [Arbitrary object injection in PHP](/en/portswigger/labs/deserialization/exploiting-deserialization-arbitrary-object-injection-in-php)                                                                     | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Insecure Deserialization | [Open](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-arbitrary-object-injection-in-php)                                   |
| [Exploiting Java deserialization with Apache Commons](/en/portswigger/labs/deserialization/exploiting-deserialization-exploiting-java-deserialization-with-apache-commons)                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Insecure Deserialization | [Open](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-java-deserialization-with-apache-commons)                 |
| [Exploiting PHP deserialization with a pre-built gadget chain](/en/portswigger/labs/deserialization/exploiting-deserialization-exploiting-php-deserialization-with-a-pre-built-gadget-chain)               | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Insecure Deserialization | [Open](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-php-deserialization-with-a-pre-built-gadget-chain)        |
| [Exploiting Ruby deserialization using a documented gadget chain](/en/portswigger/labs/deserialization/exploiting-deserialization-exploiting-ruby-deserialization-using-a-documented-gadget-chain)         | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Insecure Deserialization | [Open](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-exploiting-ruby-deserialization-using-a-documented-gadget-chain)     |
| [Modifying serialized data types](/en/portswigger/labs/deserialization/exploiting-deserialization-modifying-serialized-data-types)                                                                         | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Insecure Deserialization | [Open](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-modifying-serialized-data-types)                                     |
| [Using application functionality to exploit insecure deserialization](/en/portswigger/labs/deserialization/exploiting-deserialization-using-application-functionality-to-exploit-insecure-deserialization) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Insecure Deserialization | [Open](https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-using-application-functionality-to-exploit-insecure-deserialization) |

## TryHackMe rooms practicing Insecure Deserialization (1)

| Room                               | Difficulty                                         | Type      | Access  | Official                                 |
| ---------------------------------- | -------------------------------------------------- | --------- | ------- | ---------------------------------------- |
| [Debug](/en/tryhackme/rooms/debug) | <span className="dbadge dbadge-easy">MEDIUM</span> | Challenge | 🟢 Free | [Open](https://tryhackme.com/room/debug) |

## Related skills

* [/en/skills/rce](/en/skills/rce)

***

← [Back to the full glossary](/en/glossary)

<script type="application/ld+json">
  {`{"@context":"https://schema.org","@type":"DefinedTerm","name":"Insecure Deserialization","termCode":"insecure-deserialization","inLanguage":"en","url":"https://rootea.es/en/skills/insecure-deserialization","inDefinedTermSet":{"@type":"DefinedTermSet","name":"Tactical pentesting glossary","url":"https://rootea.es/en/glossary"}}`}
</script>

<script type="application/ld+json">
  {`{"@context":"https://schema.org","@type":"ItemList","name":"HTB machines practicing Insecure Deserialization","numberOfItems":10,"itemListElement":[{"@type":"ListItem","position":1,"url":"https://rootea.es/en/htb/machines/linux/medio/celestial","name":"Celestial"},{"@type":"ListItem","position":2,"url":"https://rootea.es/en/htb/machines/linux/dificil/feline","name":"Feline"},{"@type":"ListItem","position":3,"url":"https://rootea.es/en/htb/machines/linux/medio/jewel","name":"Jewel"},{"@type":"ListItem","position":4,"url":"https://rootea.es/en/htb/machines/windows/medio/json","name":"Json"},{"@type":"ListItem","position":5,"url":"https://rootea.es/en/htb/machines/linux/facil/laboratory","name":"Laboratory"},{"@type":"ListItem","position":6,"url":"https://rootea.es/en/htb/machines/linux/dificil/monitors","name":"Monitors"},{"@type":"ListItem","position":7,"url":"https://rootea.es/en/htb/machines/linux/facil/nodeblog","name":"NodeBlog"},{"@type":"ListItem","position":8,"url":"https://rootea.es/en/htb/machines/windows/medio/scrambled","name":"Scrambled"},{"@type":"ListItem","position":9,"url":"https://rootea.es/en/htb/machines/linux/medio/tenet","name":"Tenet"},{"@type":"ListItem","position":10,"url":"https://rootea.es/en/htb/machines/linux/dificil/travel","name":"Travel"}]}`}
</script>

*Last updated: 2026-06-07*
