Thanks for your kind words Rohit! The easiest way to find deserialization bugs would be source code analysis. As for black-box methods, they would really depend on the language and library the application uses. I would say determining that is the first step, then look at commonly vulnerable functionalities like cookies.