C Sharp Insecure Deserialization Fastjson

Description

Detects unsafe FastJSON deserialization in C# code that could allow attackers to execute arbitrary code. When JSON.ToObject() is used without proper type constraints, malicious objects can be deserialized leading to remote code execution vulnerabilities.

Weakness:

096 - Insecure deserialization

Category: Unexpected Injection

Detection Strategy

• Checks if the FastJSON library is imported in the code

• Identifies calls to JSON.ToObject method

• Reports a vulnerability when JSON.ToObject is called with an unsafe second parameter that doesn't properly restrict the deserialized type

• Only flags cases where the type parameter allows unrestricted deserialization of objects

Vulnerable code example

using fastJSON;

public class InsecureExample {
    public void ProcessJson(string json) {
        // Vulnerable: BadListTypeChecking=false allows type confusion attacks
        var obj1 = JSON.ToObject(json, new JSONParameters { BadListTypeChecking = false });
        
        // Vulnerable: Combining UseExtensions=true with BadListTypeChecking=false is dangerous...

✅ Secure code example

using fastJSON;

public class SecureExample {
    public void ProcessJson(string json) {
        try {
            // Safe: Enable type checking to prevent type confusion attacks
            var obj1 = JSON.ToObject(json, new JSONParameters { BadListTypeChecking = true });
            ...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.