DerScanner
Home / Vulnerability Database / C-sharp : Insecure JSON deserialization
C#

C-sharp : Insecure JSON deserialization

Classification

OWASP Top 10 2013
A1-Injection
OWASP Top 10 2017
A1-InjectionA8-Insecure Deserialization
OWASP Top 10 2021
A3-InjectionA8-Software and Data Integrity Failures
OWASP ASVS
Validation, Sanitization and EncodingValidation, Sanitization and Encoding
PCI DSS 4.0
6.2.4
CWE
CWE-502CWE-1027
CWE/SANS Top 25 2021
CWE-502

Overview

Deserialization of user-controlled JSON-objects can lead to arbitrary code execution on the server.

JSON serialization libraries can include the necessary metadata to convert objects to JSON. If an attacker can set object types to transform and run arbitrary methods with user-controlled data, he can execute arbitrary code during the deserialization of the JSON stream.

References

  1. Top 10 2013-A1-Injection
  2. CWE-502: Deserialization of Untrusted Data
  3. Friday the 13th: JSON Attacks
  4. CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection
MEDIUM

DerScanner Severity Score

Do you want to fix C-sharp : Insecure JSON deserialization in your application?

See also

C#

C-sharp : JWT: None Algorithm

C#

C-sharp : Insecure data transmission: Database

C#

C-sharp : Only one of method Equals() and GetHashCode() defined