Skip to content

Avoiding Insecure Serialization & Deserialization

Published on

.NET has many ways of serializing and deserializing data. Deserializing untrusted data with an insecure deserializer can lead to remote code execution and complete system compromise. Serializing types without proper attributes can expose sensitive data. Describe the risk of exposing sensitive data via serialization and explore unsafe and safe methods for serialization with .NET. Investigate risky and secure ways for deserialization with JSON.NET and BinaryFormatter with a custom SerializationBinder and review tips for preventing serialization/deserialization vulnerabilities.