csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization

profile photo of semgrepsemgrep
Author
5,563
Download Count*

The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server.

Run Locally

Run in CI

Defintion

rules:
  - id: insecure-javascriptserializer-deserialization
    severity: ERROR
    languages:
      - C#
    metadata:
      cwe:
        - "CWE-502: Deserialization of Untrusted Data"
      owasp:
        - A08:2017 - Insecure Deserialization
        - A08:2021 - Software and Data Integrity Failures
      references:
        - https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.simpletyperesolver?view=netframework-4.8#remarks
      category: security
      technology:
        - .net
      confidence: LOW
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - "Insecure Deserialization "
    message: The SimpleTypeResolver class is insecure and should not be used. Using
      SimpleTypeResolver to deserialize JSON could allow the remote client to
      execute malicious code within the app and take control of the web server.
    patterns:
      - pattern-inside: |
          using System.Web.Script.Serialization;
          ...
      - pattern: |
          new JavaScriptSerializer((SimpleTypeResolver $RESOLVER))

Examples

javascript-serializer.cs

using System.Web.Script.Serialization;

namespace InsecureDeserialization
{
    public class InsecureJavascriptSerializerDeserialization
    {
        public void JavascriptSerializerDeserialization(string json)
        {
            try
            {
                // ruleid: insecure-javascriptserializer-deserialization
                var serializer = new JavaScriptSerializer(new SimpleTypeResolver());
                serializer.DeserializeObject(json);

                var resolver = new SimpleTypeResolver()
                // ruleid: insecure-javascriptserializer-deserialization
                var serializer2 = new JavaScriptSerializer(resolver);
                serializer2.DeserializeObject(json);
            }
            catch (Exception e)
            {
                Console.WriteLine(e);
            }
        }
    }
}