2

I have been reading up on Insecure Deserialization and how it can affect Java applications.

https://owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization

If the captured traffic data include the following patterns it may suggest that the data was sent in Java serialization streams:

"AC ED 00 05" in Hex
"rO0" in Base64
Content-type = 'application/x-java-serialized-object'

Burp extension to perform Java Deserialization Attacks:

https://github.com/NetSPI/JavaSerialKiller

https://owasp.org/index.php/Deserialization_of_untrusted_data

https://owasp.org/index.php/Deserialization_Cheat_Sheet#Java

My question is if a similar pattern exists for .NET? Are there any tools to test exploits for this?

The article below mentions a JSON deserialization flaw in Breeze, JSON deserialization flaw in NancyFX and XML deserialization flaw in DotNetNuke,

https://www.bleepingcomputer.com/news/security/severe-deserialization-issues-also-affect-net-not-just-java/

I have been reading about XML External Entity (XXE) injection for System libraries but nothing with deserialization in .NET.

https://owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET

Ogglas
  • 677
  • 4
  • 12
  • 26

1 Answers1

3

Insecure deserialization is not a Java specific flaw, all languages are subject to this kind of vulnerability. Please have a look at this 2017 blackhat conference : Friday the 13th: JSON attacks, it focuses on .Net JSON serializers.

You can find a useful tool to test your developments in yoserial.

Regarding XXE, it has nothing to do with serialization, those two vulnerabilities are clearly separated in the latest OWASP's top ten.

AndrolGenhald
  • 15,436
  • 5
  • 45
  • 50
gfrancqu
  • 66
  • 2