csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization

profile photo of returntocorpreturntocorp
Author
5,563
Download Count*

The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. SoapFormatter is insecure and can't be made secure

Run Locally

Run in CI

Defintion

rules:
  - id: insecure-soapformatter-deserialization
    severity: WARNING
    languages:
      - C#
    metadata:
      cwe:
        - "CWE-502: Deserialization of Untrusted Data"
      owasp:
        - A08:2017 - Insecure Deserialization
        - A08:2021 - Software and Data Integrity Failures
      references:
        - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks
      category: security
      technology:
        - .net
      confidence: MEDIUM
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: LOW
      impact: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: The SoapFormatter type is dangerous and is not recommended for data
      processing. Applications should stop using SoapFormatter as soon as
      possible, even if they believe the data they're processing to be
      trustworthy. SoapFormatter is insecure and can't be made secure
    patterns:
      - pattern-inside: |
          using System.Runtime.Serialization.Formatters.Soap;
          ...
      - pattern: |
          new SoapFormatter();

Examples

soap-formatter.cs

using System.Runtime.Serialization.Formatters.Soap;

namespace InsecureDeserialization
{
    public class InsecureSoapFormatterDeserialization
    {
        public void SoapFormatterDeserialization(string json)
        {
            try
            {
                MemoryStream ms = new MemoryStream(Encoding.UTF8.GetBytes(json));

                // ruleid: insecure-soapformatter-deserialization
                SoapFormatter soapFormatter = new SoapFormatter();
                object obj = soapFormatter.Deserialize(ms);
            }
            catch (Exception e)
            {
                Console.WriteLine(e);
            }
        }
    }
}