C Sharp Type Name Handling All
Description
Detects insecure TypeNameHandling settings in Newtonsoft.Json (Json.NET) serializer configuration that could allow remote code execution through type information embedded in JSON data. When TypeNameHandling is set to unsafe values like 'All' or 'Auto', an attacker can exploit deserialization to execute arbitrary code.
Detection Strategy
• Checks if Newtonsoft.Json library is imported in the source code
• Identifies JsonSerializerSettings object declarations and configurations
• Detects when TypeNameHandling property is set to dangerous values like 'All', 'Auto', or other unsafe options
• Reports vulnerability when TypeNameHandling is configured with values that enable type information in JSON serialization
Vulnerable code example
using Newtonsoft.Json;
public class UnsafeDeserialization
{
public void DeserializeData(string jsonInput)
{
var settings = new JsonSerializerSettings();
settings.TypeNameHandling = TypeNameHandling.All; // Vulnerable: Allows arbitrary type deserialization...✅ Secure code example
using Newtonsoft.Json;
public class SafeDeserialization
{
public void DeserializeData(string jsonInput)
{
// Explicitly disable type handling to prevent arbitrary type deserialization attacks
var settings = new JsonSerializerSettings...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.