Community

Learn

Tools Library

AI Tools

Leisure

English

Home > Backend Development > C++ > Is Automatic JSON Deserialization with Json.Net's `TypeNameHandling.Auto` Secure, Even When Limiting Deserialization to a Specific Type?

Is Automatic JSON Deserialization with Json.Net's `TypeNameHandling.Auto` Secure, Even When Limiting Deserialization to a Specific Type?

Mary-Kate Olsen

Release： 2025-01-07 14:16:41

Original

874 people have browsed it

Is Automatic JSON Deserialization with Json.Net's `TypeNameHandling.Auto` Secure, Even When Limiting Deserialization to a Specific Type?

Can External JSON Be Vulnerable Due to Json.Net TypeNameHandling Auto?

Problem:

In website applications where users upload custom JSON objects, it is imperative to be aware of potential threats arising from automated JSON type deserialization. The question is whether automatic type deserialization is susceptible to vulnerabilities if the only type deserialized is a specific type (e.g., MyObject) and none of MyObject's members have the type System.Object or dynamic.

Answer:

While adhering to these conditions significantly reduces the risk, it does not guarantee complete protection. Json.Net's TypeNameHandling setting, when set to Auto, can potentially create objects based on "$type" information even when no corresponding field exists in MyObject.

Detailed Explanation:

Attacks targeting Json.Net exploit the TypeNameHandling setting to construct "attack gadgets" - objects designed to compromise the receiving system. Json.Net's protection mechanisms include ignoring unknown properties and checking for type compatibility. However, there are scenarios where an attack gadget can be constructed even without any obvious untyped members:

Deserialization of untyped collections (e.g., ArrayList, List
)
Deserialization of semi-typed collections (e.g., CollectionBase)

Deserialization of types that implement ISerializable (e.g., Exception)

Deserialization of types with members conditional serialization (e.g., public object tempData; public bool ShouldSerializeTempData() { return false; })

Recommendations:
- Use caution: TypeNameHandling should be used prudently when deserializing external JSON, and a custom SerializationBinder is recommended for validation.
- Review Data Model: Ensure that no member types are object, dynamic, or compatible with attack gadgets.
- Consider Serialization Binder: Implement a custom SerializationBinder to strictly control which types are deserialized.
In conclusion, while the provided conditions significantly mitigate risk, it is important to note that it does not guarantee complete security. Json.Net's TypeNameHandling Auto setting may still potentially facilitate the creation of attack gadgets, necessitating additional precautions such as custom serialization binders.
The above is the detailed content of Is Automatic JSON Deserialization with Json.Net's `TypeNameHandling.Auto` Secure, Even When Limiting Deserialization to a Specific Type?. For more information, please follow other related articles on the PHP Chinese website!

source：php.cn

Previous article：How Can I Secure My JSON Deserialization from External Sources Using Json.Net's TypeNameHandling? Next article：How Secure is Your JSON Deserialization with Json.Net's TypeNameHandling?

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Articles by Author
Latest Issues

function_exists() cannot determine the custom function Function test () {return true;} if (function_exists ('test')) {echo "test is function...

From 2024-04-29 11:01:01

0

3

2420

How to display the mobile version of Google Chrome Hello teacher, how can I change Google Chrome into a mobile version?

From 2024-04-23 00:22:19

0

11

2550

The child window operates the parent window, but the output does not respond. The first two sentences are executable, but the last sentence cannot be implemented.

From 2024-04-19 15:37:47

0

1

2160

There is no output in the parent window document.onclick = function(){ window.opener.document.write('I am the output of the child ...

From 2024-04-18 23:52:34

0

1

2039

Where is the courseware about CSS mind mapping? Courseware

From 2024-04-16 10:10:18

0

0

2129
Related Topics
More>
Popular Recommendations
How to solve C++ syntax error: 'expected primary-expression before ';' token'?

How to solve C++ syntax error: 'expected primary-expression before ',' token'?

C++ compilation error: undeclared identifier, how to solve it?

C++ error: identifier not found, what should I do?

C++ error: variable not initialized, how to solve it?
Popular Tutorials
More>
Related Tutorials

Popular Recommendations

Latest courses

The latest ThinkPHP 5.1 world premiere video tutorial (60 days to become a PHP expert online training course)

1426941

PHP introductory tutorial one: Learn PHP in one week

4276802

JAVA Beginner's Video Tutorial

2573888

Little Turtle's zero-based introduction to learning Python video tutorial

509856

PHP zero-based introductory tutorial

866550

The latest ThinkPHP 5.1 world premiere video tutorial (60 days to become a PHP expert online training course)

1426941 times of learning

JAVA Beginner's Video Tutorial

2573888 times of learning

Little Turtle's zero-based introduction to learning Python video tutorial

509856 times of learning

Quick introduction to web front-end development

216214 times of learning

Master PS video tutorials from scratch

898221 times of learning

[Web front-end] Node.js quick start

8160 times of learning

Complete collection of foreign web development full-stack courses

6466 times of learning

Go language practical GraphQL

5379 times of learning

550W fan master learns JavaScript from scratch step by step

737 times of learning

Python master Mosh, a beginner with zero basic knowledge can get started in 6 hours

27333 times of learning
Latest Downloads
More>
Web Effects

Website Source Code

Website Materials

Front End Template

[form button] jQuery enterprise message form contact code

[Player special effects] HTML5 MP3 music box playback effects

[Menu navigation] HTML5 cool particle animation navigation menu special effects

[form button] jQuery visual form drag and drop editing code

[Player special effects] VUE.JS imitation Kugou music player code

[html5 special effects] Classic html5 pushing box game

[Picture special effects] jQuery scrolling to add or reduce image effects

[Photo album effects] CSS3 personal album cover hover zoom effect

[Front-end template] Home Decor Cleaning and Repair Service Company Website Template

[Front-end template] Fresh color personal resume guide page template

[Front-end template] Designer Creative Job Resume Web Template

[Front-end template] Modern engineering construction company website template

[Front-end template] Responsive HTML5 template for educational service institutions

[Front-end template] Online e-book store mall website template

[Front-end template] IT technology solves Internet company website template

[Front-end template] Purple style foreign exchange trading service website template

[PNG material] Cute summer elements vector material (EPS PNG)

[PNG material] Four red 2023 graduation badges vector material (AI EPS PNG)

[banner picture] Singing bird and cart filled with flowers design spring banner vector material (AI EPS)

[PNG material] Golden graduation cap vector material (EPS PNG)

[PNG material] Black and white style mountain icon vector material (EPS PNG)

[PNG material] Superhero silhouette vector material (EPS PNG) with different color cloaks and different poses

[banner picture] Flat style Arbor Day banner vector material (AI+EPS)

[PNG material] Nine comic-style exploding chat bubbles vector material (EPS+PNG)

[Front-end template] Home Decor Cleaning and Repair Service Company Website Template

[Front-end template] Fresh color personal resume guide page template

[Front-end template] Designer Creative Job Resume Web Template

[Front-end template] Modern engineering construction company website template

[Front-end template] Responsive HTML5 template for educational service institutions

[Front-end template] Online e-book store mall website template

[Front-end template] IT technology solves Internet company website template

[Front-end template] Purple style foreign exchange trading service website template
Public welfare online PHP training，Help PHP learners grow quickly！

About us Disclaimer Sitemap

© php.cn All rights reserved