C Sharp Serializable With Pointer Fields

Description

Detects C# classes marked with [Serializable] attribute that contain unsafe pointer fields. This represents a security risk since serializing pointer fields can expose memory addresses and potentially lead to memory corruption or information disclosure when deserializing.

Weakness:

317 - Improper resource allocation - Memory leak

Category: Functionality Abuse

Detection Strategy

• Check for classes decorated with the [Serializable] attribute in C# code

• Examine if the serializable class contains any pointer field declarations (unsafe pointers)

• Report a vulnerability when a serializable class is found containing one or more pointer fields since this creates potential memory safety issues

Vulnerable code example

using System;

[Serializable] 
unsafe class UnsafeData 
{
    private int* pointer; // Unsafe: Serializable class should not contain pointer fields
}

✅ Secure code example

using System;

[Serializable]
class SafeData 
{
    private int value; // Safe: Using regular value type instead of pointer
    
    // Optional: Add [NonSerialized] for any fields that shouldn't be serialized...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.