Menu
I am currently performing a secure code review of Fortify reported issues and segments of code flagged relates to current session state being stored in memory. By default, the framework .NET automatically stores all HttpSessionState objects, its attributes and any object they reference in memory. This implementation limits active session state to what can be accommodated by the system memory of a single machine.
In order to improve performance, it is recommended to mark all objects serializable to expand capacity.
While all steps have been taken to make all these objects Serializable, the fortify scanning tool still flags some string variable as vulnerable.
My question is: Are string variables not serialized by default? or I need explicitly mark these variables "Serializable"?
441
asked Jun 19 '18 14:06
What is Serialization & Deserialization in.NET Serialization is a process of converting an object into a stream of bytes. Whereas deserialization is another way around i.e converting a stream of bytes into objects. Here are some examples where we see the need for Serialization:
Serialization: XML Serialization: Object Serialization is a process through which an object's state is transformed into some serial data format, such as XML or binary format, in order to be stored for some later use. In other words, the object is "dehydrated" and put away until we need to use it again.
NET Framework supports built in serialization. We can accomplish using two methods: This mechanism of implementing serialization is quite generic. It requires you to create a stream and a formatter. The stream, as name suggests would contain the bytes of the serialized objects and the formatter does the functionality. .
Binary and XML serialization can be performed in two ways, basic and custom. Basic serialization uses .NET to automatically serialize the object. The only requirement is that the class has the SerializableAttribute attribute applied. The NonSerializedAttribute can be used to keep specific fields from being serialized.
It's a false-positive detection. String type does not implement ISerializable which (I think) is the reason why Fortify complains. But String is decorated with the [Serializable] attribute as can be seen here: https://docs.microsoft.com/en-us/dotnet/api/system.string and typeof(string).IsSerializable returns true, which gives you enough evidence to request an exemption. Hope it helps.
148
answered Sep 17 '22 23:09
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With