C Sharp Jsserializer Simpletyperesolver Usage
Description
Detects insecure usage of JavaScriptSerializer in C# applications. JavaScriptSerializer with SimpleTypeResolver enabled can lead to remote code execution vulnerabilities by allowing deserialization of arbitrary types, which attackers can exploit to execute malicious code.
Detection Strategy
• Check for code using the 'JavaScriptSerializer' class in C# applications
• Inspect initialization and configuration of JavaScriptSerializer instances
• Flag usage where SimpleTypeResolver is enabled or where type resolution is not properly restricted
• Report vulnerability when JavaScriptSerializer is configured to allow unsafe deserialization of arbitrary types
Vulnerable code example
using System.Web.Script.Serialization;
public class JsonHelper {
public T DeserializeUnsafe<T>(string json) {
// Vulnerable: SimpleTypeResolver allows deserialization of arbitrary types
var serializer = new JavaScriptSerializer(new SimpleTypeResolver());
return serializer.Deserialize<T>(json);
}...✅ Secure code example
using System.Web.Script.Serialization;
public class JsonHelper {
public T DeserializeSecure<T>(string json) {
// Safe: Using default resolver which restricts type instantiation
var serializer = new JavaScriptSerializer();
return serializer.Deserialize<T>(json);
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.