csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization

profile photo of returntocorpreturntocorp
Author
5,563
Download Count*

The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure

Run Locally

Run in CI

Defintion

rules:
  - id: insecure-losformatter-deserialization
    severity: WARNING
    languages:
      - C#
    metadata:
      cwe:
        - "CWE-502: Deserialization of Untrusted Data"
      owasp:
        - A08:2017 - Insecure Deserialization
        - A08:2021 - Software and Data Integrity Failures
      references:
        - https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8
      category: security
      technology:
        - .net
      confidence: MEDIUM
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: LOW
      impact: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: The LosFormatter type is dangerous and is not recommended for data
      processing. Applications should stop using LosFormatter as soon as
      possible, even if they believe the data they're processing to be
      trustworthy. LosFormatter is insecure and can't be made secure
    patterns:
      - pattern-inside: |
          using System.Web.UI;
          ...
      - pattern: |
          new LosFormatter();

Examples

los-formatter.cs

using System.Web.UI;

namespace InsecureDeserialization
{
    public class InsecureLosFormatterDeserialization
    {
        public void LosFormatterDeserialization(string json)
        {
            try
            {
                // ruleid: insecure-losformatter-deserialization
                LosFormatter losFormatter = new LosFormatter();
                object obj = losFormatter.Deserialize(json);
            }
            catch (Exception e)
            {
                Console.WriteLine(e);
            }
        }
    }
}