Description

Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object.

It is determined that the web application uses JSON.NET library in a configuration that allows deserialization of objects of arbitrary classes. Arbitrary object deserialization is inherently unsafe, and should never be performed on untrusted data.

Remediation

Set TypeNameHandling to None or implement strict SerializationBinder

References

Related Vulnerabilities