We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Second Breakfast: Implicit and Mutation-Based Serialization Vulnerabilities in .NET
.NET serialization vulnerabilities can lead to remote code execution (RCE), with examples in LightDB and JSON.net, and common attack vectors including polymorphic serialization and mutation attacks. Learn how to prevent these attacks with best practices.
-
.NET serialization vulnerabilities are a major issue and can lead to remote code execution (RCE)
. -
LightDB
is a.NET
NoSQL driver that is vulnerable to RCE due to its use of polymorphic serializers. -
JSON.net
is also vulnerable due to its lack of strict type checking and ability to deserialize arbitrary types. -
Polymorphic serializers can be used to bypass serialization binds and inject arbitrary code
. -
Mutation attacks can be used to modify serialized data and inject malicious code
. -
Implicit serialization vulnerabilities are present in many .NET serializers and can lead to RCE
. -
Best practices to prevent these attacks include: don't use polymorphic serializers, don't use unsafe serializers, and ensure that data being serialized is properly validated
. -
Articles and research papers on .NET serialization vulnerabilities are available online for reference
.