Deserialization of potentially untrusted data
Description
Deserialization attacks exploit the process of reading serialized data and turning it back into an object. By constructing malicious objects and serializing them, an adversary may attempt to inject code that is executed upon object construction or exploit mass assignment. To protect against this, consider safer alternatives such as serializing data in the JSON format and only allow deserialization of specific fields that are required.
Examples
Insecure Code
c#
var formatter = new BinaryFormatter(); var obj = formatter.Deserialize(stream);Secure Code
c#
var json = JsonConvert.DeserializeObject<MyType>(jsonString);Remediation
Use a safer serialization format like JSON and only deserialize to specific object types, ensuring that only necessary fields are exposed.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0447 |
| Category | Deserialization |
| Severity | HIGH |
| CWE | CWE-502 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | deserialization, insecure deserialization |
| OWASP | A8:2017-Insecure Deserialization, A08:2021-Software and Data Integrity Failures |