TL;DR: __call, __get, __set, __invoke turn attacker-controlled access into method calls — primary deserialisation surface.
Stub — to be filled in.
What it is
TODO
Preconditions / where it applies
TODO
Technique
TODO
Detection and defence
TODO
References