Attacking Insecure Deserialization in .NET — Part 2: Formatters and .NET Commons Gadgets
In Part 1, we explored the basics of insecure deserialization in .NET, demonstrated an example using Newtonsoft.Json TypeNameHandling feature in a vulnerable ASP.NET testing lab, and ysoserial tool which is used such attacks. You can see Part 1 here. In this part, we focus on something every security researcher or .NET developer must recognize: Dangerous serializers. Some .NET formatters allow type metadata to be reconstructed during deserialization, which can enable attackers to trigger ...
Attacking Insecure Deserialization in .NET — Part 1: Fundamentals, Lab Setup, and $type Metadata Abuse
IntroductionThis article introduces Insecure Deserialization attacks in .NET and explains how attackers abuse gadget chains to achieve remote code execution. We will explore: The fundamentals of .NET deserialization Gadget chains, and Serializers Build a vulnerable ASP.NET lab for testing Type metadata abuse via TypeNameHandling.All Insecure Deserialization in .NET – Definition, Key Concepts, Tools, and Exploitation FlowDefinitionThis vulnerability occurs when an application deserializes...