Monthly ADR Report: Untrusted deserialization tops March’s application attacks chart

Cyberattackers are shifting their strategy in attacking applications and focusing on one of the most dangerous tactics. For the fourth straight month, the number one tactic was insecure deserialization, aka untrusted deserialization. And, after four months, we can call this a trend. 

Every month, in this ADR Report, Contrast Labs reports the attack trends we see across our apps and those of our customers. We anonymize and average the attacks so that readers can see what and where adversaries are focused. 

Here are the most notable findings from March 2025:

Insight No. 1: The rise of insecure deserialization

In March 2025, applications we monitor for attacks registered an average of 28 insecure deserialization attacks per app. Because Contrast is instrumented into the application, we’re not reporting on false positives; these are attacks that reached a vulnerability and would have resulted in an incident had Contrast Application Detection and Response (ADR) not stopped it. 

Insecure Deserialization is a dangerous attack because it can allow an attacker to inject malicious code into an application, potentially taking control of the application or its underlying systems.  This occurs when an application receives serialized data (objects converted into a format for storage or transmission) and fails to properly validate it before deserializing it (converting it back into an object).   

Web application firewalls (WAFs) are ill-equipped to handle insecure deserialization attacks. WAFs operate at the network perimeter, analyzing incoming HTTP traffic based on predefined rules. They lack the deep application context to understand the intricacies of serialized data and how it will be processed by the application. Therefore, a WAF is unable to distinguish between legitimate and malicious serialized data, allowing the attack to pass through undetected.  

Benefits & disadvantages of a WAF

While exploitation might require some technical skill to craft the malicious serialized data, the advent of AI assistants has made it easier for attackers to create deserialization attacks. Unfortunately, this has lowered the barrier to entry for less sophisticated attackers.

Insight No. 2: 110 attacks per app

The number of attacks per application continues to rise, up to 110 real attacks per app in the month of March. We’ve seen a steady climb over the past six months, as more cyberattackers focus on the application layer. Some of the types of attacks we see are more dangerous than others, which is why it is so concerning to see both a rise in attacks and a rise in a more complex attack like insecure deserialization. 

If you have not read our reports before, here’s some important context. Contrast’s attack data is measured directly from real-world running applications and application programming interfaces (APIs). Our attacks aren’t measured in millions, billions or even trillions, because that’s part of the problem: too much noise. Because Contrast Security instruments the code, we’re not reporting on signatures or theoretical attacks, only what’s actually a dangerous anomaly.

Take a look at this image to see the types of viable attacks that Contrast ADR identified and stopped. While we calculate the average number of attacks across all applications, only the applications containing specific vulnerabilities are counted as being attacked.  So if you’re vulnerable, you will see much higher rates than the ones in this table.

In last month’s  blog, we predicted the rise in method tampering, but not the steady rise of insecure (unsafe) deserialization. We’ll keep an eye on it and report back to you next month if both that tactic, and attacks overall, continue to rise. 

Try out Contrast ADR today. 

Start the ADR Sandbox

Read more:

• Contrast blog: 4 ways ADR will slash workload and speed incident response for IR teams
• Monthly ADR Report, February 2025: Application attacks jump 30%; method tampering up 800%
• Contrast blog: How the SOC can navigate the treacherous waters of application threats with ADR
• Contrast blog: 12 things to know about ADR
• White paper: The Case for Application Detection and Response (ADR)