C Sharp Insecure Deserialization Untrusted Input
Description
Detects the use of unsafe .NET deserialization classes that can lead to remote code execution when processing untrusted input. Using classes like BinaryFormatter or NetDataContractSerializer to deserialize data from untrusted sources allows attackers to execute malicious code during the deserialization process.
Detection Strategy
• Check for usage of dangerous .NET deserialization classes including: BinaryFormatter, SoapFormatter, NetDataContractSerializer, LosFormatter, and ObjectStateFormatter
• Report a vulnerability when any of these dangerous deserializer classes are instantiated or referenced in the code
• The entire usage of these classes is considered vulnerable since they lack built-in security controls for untrusted input
Vulnerable code example
using System.Runtime.Serialization.Formatters.Binary;
using System.Runtime.Serialization;
using System.IO;
public class UnsafeDeserialization
{
public void ProcessData(Stream data)
{...✅ Secure code example
using System.Text.Json;
using System.IO;
public class SafeDeserialization
{
public void ProcessData(Stream data)
{
// Safe: Using System.Text.Json which has built-in security features...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.