C Sharp Unsafe Xml Deserialization
Description
Detects unsafe XML deserialization in C# code that could allow attackers to execute malicious code through XmlSerializer when combined with dynamic type loading (Type.GetType). This vulnerability can lead to remote code execution if untrusted XML input is deserialized while allowing dynamic type resolution.
Detection Strategy
• Identifies usage of XmlSerializer class in C# code
• Checks if the XmlSerializer usage is connected to dynamic type resolution via Type.GetType
• Verifies if the XML input potentially comes from untrusted sources like HttpRequest
• Reports a vulnerability when XmlSerializer is used in combination with dynamic type loading and possible untrusted input
Vulnerable code example
using System.Xml.Serialization;
using System.Web;
public class UnsafeController
{
public void ProcessXml(HttpRequest request)
{
// INSECURE: Allows arbitrary type deserialization from user input...✅ Secure code example
using System.Xml.Serialization;
using System.Web;
public class SafeController
{
public void ProcessXml(HttpRequest request)
{
// Secure: Use a fixed, known type instead of user input...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.