0

I have a question in regard to insecure deserialization with the JSON.Net component. It is my understanding that this component is safe by default unless you specify the TypeNameHandling setting to anything except for none.

However, suppose you do not change the TypeNameHandling setting (so that the default applies), will the following implementation be vulnerable to insecure deserialization (for instance, to achieve RCE)?

JsonConvert.DeserializeObject<dynamic>(jsonModelFromUserinput)

I'm only able to create RCE when the default TypeNameHandling setting is changed.

schroeder
  • 123,438
  • 55
  • 284
  • 319
VitoCorleone
  • 1
  • This answers your question https://stackoverflow.com/questions/49038055/external-json-vulnerable-because-of-json-net-typenamehandling-auto – Soufiane Tahiri Dec 22 '20 at 09:57
  • Thank you. It helped me further. – VitoCorleone Dec 22 '20 at 10:31
  • 1
    Goodness gracious. The best part about JSON is that it's simplicity means that parsing libraries have far less to worry about when it comes to application vulnerabilities. A tool where you have to worry about RCE when decoding JSON is just stupid... – Conor Mancone Dec 22 '20 at 13:26

0 Answers0