csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization
semgrep
Author
5,563
Download Count*
License
The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server.
Run Locally
Run in CI
Defintion
rules:
- id: insecure-javascriptserializer-deserialization
severity: ERROR
languages:
- C#
metadata:
cwe:
- "CWE-502: Deserialization of Untrusted Data"
owasp:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
references:
- https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.simpletyperesolver?view=netframework-4.8#remarks
category: security
technology:
- .net
confidence: LOW
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- "Insecure Deserialization "
message: The SimpleTypeResolver class is insecure and should not be used. Using
SimpleTypeResolver to deserialize JSON could allow the remote client to
execute malicious code within the app and take control of the web server.
patterns:
- pattern-inside: |
using System.Web.Script.Serialization;
...
- pattern: |
new JavaScriptSerializer((SimpleTypeResolver $RESOLVER))
Examples
javascript-serializer.cs
using System.Web.Script.Serialization;
namespace InsecureDeserialization
{
public class InsecureJavascriptSerializerDeserialization
{
public void JavascriptSerializerDeserialization(string json)
{
try
{
// ruleid: insecure-javascriptserializer-deserialization
var serializer = new JavaScriptSerializer(new SimpleTypeResolver());
serializer.DeserializeObject(json);
var resolver = new SimpleTypeResolver()
// ruleid: insecure-javascriptserializer-deserialization
var serializer2 = new JavaScriptSerializer(resolver);
serializer2.DeserializeObject(json);
}
catch (Exception e)
{
Console.WriteLine(e);
}
}
}
}
Short Link: https://sg.run/0nJq