C Sharp Insecure Fspickler Deserialization
Description
Detects insecure deserialization vulnerabilities when using FsPickler JSON serializer in C# applications. FsPickler deserialization of untrusted data can lead to remote code execution since it supports serialization of arbitrary .NET types.
Detection Strategy
• Check if the MBrace.FsPickler.Json library is imported in the code
• Look for instances where FsPickler.CreateJsonSerializer is called to create a serializer
• Identify deserialization operations on the created serializer instance
• Report a vulnerability when the deserialized data potentially comes from untrusted sources like user input or network
Vulnerable code example
using MBrace.FsPickler.Json;
public class InsecureDeserializationDemo
{
public void ProcessUserData(HttpRequest request)
{
var fsPickler = FsPickler.CreateJsonSerializer();
...✅ Secure code example
using MBrace.FsPickler.Json;
using System.IO;
public class SecureDeserializationDemo
{
// Define a safe class for expected data structure
public class SafeDataModel
{...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.