Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Newtonsoft JSON.NET Security Vulnerability Implementation

The recently exposed security vulnerabilities regarding serialization in .NET have ambiguous recommendations. What is the correct way to securely use JSON.NET?

Detailed guidance for JSON.NET: https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf#page=5

Should TypeNameHandling.All be used or should TypeNameHandling.None be used?

General Explanation: https://www.bleepingcomputer.com/news/security/severe-deserialization-issues-also-affect-net-not-just-java/

like image 229
KPHutt Avatar asked Aug 14 '17 14:08

KPHutt


People also ask

Is Newtonsoft JSON obsolete?

Yet Newtonsoft. Json was basically scrapped by Microsoft with the coming of . NET Core 3.0 in favor of its newer offering designed for better performance, System.

Is Newtonsoft JSON thread safe?

Correct, JsonSerializer is threadsafe. No state is shared while serializing but if you change a setting on the JsonSerializer while in the middle of serializing an object then those will automatically be used.

Is Newtonsoft JSON compatible with .NET core?

Text. Json library is included in the runtime for . NET Core 3.1 and later versions. For other target frameworks, install the System.

How does Newtonsoft JSON work?

Newtonsoft. Json uses reflection to get constructor parameters and then tries to find closest match by name of these constructor parameters to object's properties. It also checks type of property and parameters to match. If there is no match found, then default value will be passed to this parameterized constructor.


Video Answer


1 Answers

Well appears the answer is right in front of me in the documentation:

"Incoming types should be validated with a custom SerializationBinder when deserializing with a value other than None."

like image 72
KPHutt Avatar answered Oct 08 '22 18:10

KPHutt