SYM_CS_0027 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using the SimpleTypeResolver with JavaScriptSerializer in .NET is insecure because it allows attackers to specify arbitrary types for deserialization. This can let malicious data trigger the creation of dangerous objects during JSON deserialization.
Impact
If exploited, an attacker could execute arbitrary code on your web server, potentially taking full control of the application and server environment. This can lead to data breaches, website defacement, or complete system compromise.