Alternatives or not, you open that 'risky' door at the moment you have to read the payload to know what type of data it is.
Once it's read, it's already too late.
Java serialization has not many ways around it, you have to trust the sources.
XML, JSON, ... used naively with reflection (e.g. new XStream().fromXML(...)) exposes the exact same issues.
Custom homemade parsers are also very likely somehow vulnerable.
The deserialization attack is a way to make the deserializer exploits vulnerable classes that exist in your classpath.
It's not generating or executing malicious code by itself.
The standard classes should be ok, or at least fixed quickly.
Things like commons-collection will likely never be fixed. It might be considered as a feature from some point of view.
My 2 cents:
- Secure your sources
- Know you format, do not rely on reflection to parse text or binary data
- Watch out with your classpath, but you can never know what new vulnerability will pop next weeks
Related, i can't recommend enough "The One-Straw Revolution" by Masanobu Fukuoka for people interested in that topic and don't know about it.
https://archive.org/details/The-One-Straw-Revolution/page/n1...