fake serialization information

I am preparing for MCTS exam 70-536 and reading the book "MCTS self paced training kit exam 70 536 microsoft net framework application development foundation second edition"

In Chapter 5 - Serialization, below is the statement which stumped me.

You must perform d开发者_C百科ata validation in your serialization constructor and throw a SerializationException if invalid data is provided. The risk is that an attacker could use your class but provide fake serialization information in an attempt to exploit a weakness.

I understand data validation but unable to understand how attacker could provide fake serialization information. I would like to know this in terms of a example (either in code or in concept). I searched web but could not come up with anything.

If you serialize your data to a file, the user could just edit your file to cause your program to behave incorrectly. Similar things can be done if you read or write to a location online (including modifying the data in transit if it is not authenticated). The overall theme of the discussion is that there is no guarantee that serialized data is generated by your application; it could be generated by an attacker or a fuzz tester that is purposely trying to corrupt your application's data structures to find vulnerabilities.