I have minimal experience exploiting deserialization vulnerabilities and I am working on and I have identified the following URL endpoint. This is it URL Decoded:
/Account/Register?Count=0&Keys=System.Collections.Generic.Dictionary`2+KeyCollection[System.String,System.Object]&Values=System.Collections.Generic.Dictionary`2+ValueCollection[System.String,System.Object]
I'd appreciate some help explaining if it's exploitable, and if so, how so I can prove impact to the client. Thank you.
This looks more like a bug in the application which is ignored or handled by the server rather than something exploitable.
This code (in c#)
List<string> list = new List<string>();
list.Add("Hello");
list.Add("World");
Console.WriteLine(list.ToString());
Outputs:
System.Collections.Generic.List`1[System.String]
So it would appear that while the developer is expecting to output the contents of the keys and value lists into the url they are in fact just outputting the type of the object. Since it doesn't seem like this features can work in the first place it's difficult to see how it's exploitable, it probably falls more under the information disclosure category than an exploit.
