C Sharp Viewstate Deserialization Rce Insecure
Description
Detects insecure deserialization vulnerabilities in C# applications where ReadXml is used to process untrusted input. When ViewState data is deserialized without proper validation, it can lead to remote code execution by allowing an attacker to inject malicious serialized objects.
Detection Strategy
• Identifies calls to methods ending with 'ReadXml'
• Checks if the first argument passed to ReadXml comes from an untrusted source (like user input)
• Reports a vulnerability when ReadXml is called with unvalidated input data that could contain malicious serialized content
Vulnerable code example
using System;
using System.Data;
public class XmlHandler
{
public void ProcessXml(string userInput)
{
DataTable dt = new DataTable();...✅ Secure code example
using System;
using System.Data;
using System.IO;
using System.Xml;
public class XmlHandler
{
public void ProcessXml(string filePath)...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.