Insecure Deserialization in Aspnet
How Insecure Deserialization Manifests in Aspnet
In Aspnet applications, insecure deserialization commonly occurs when user-controlled input is passed to BinaryFormatter.Deserialize(), LosFormatter.Deserialize(), or ObjectStateFormatter.Deserialize() without proper validation. Attackers can craft malicious payloads that trigger arbitrary code execution during deserialization, particularly when the application uses types like System.Windows.Data.ObjectDataProvider or System.Diagnostics.Process within the deserialization graph. A typical vulnerable pattern appears in ASP.NET Web Forms viewstate handling, where custom deserialization logic in Page.LoadPageStateFromPersistenceMedium() overrides may accept tampered __VIEWSTATE parameters. Another vector exists in ASP.NET Core when System.Text.Json.JsonSerializer.Deserialize<object>() is used with polymorphic types and TypeNameHandling.All equivalent settings, allowing attackers to inject types that execute code during construction or property setting via ISerializable or IDeserializationCallback interfaces. Real-world exploitation mirrors CVE-2019-18935 (Telerik UI) where viewstate deserialization led to RCE, and similar flaws have been found in ASP.NET applications using BinaryFormatter for session state or caching mechanisms.
Aspnet-Specific Detection
Identifying insecure deserialization in Aspnet requires analyzing both code patterns and runtime behavior. Static analysis can flag usage of dangerous deserializers like BinaryFormatter (marked obsolete since .NET 5) or LosFormatter with user-controlled input. Dynamic detection involves monitoring for deserialization of unexpected types—e.g., a viewstate payload containing System.Windows.Data.ObjectDataProvider targeting System.Diagnostics.Process.Start. middleBrick detects these issues during its unauthenticated black-box scan by injecting serialized payloads designed to trigger deserialization gadgets specific to Aspnet frameworks. It checks for error responses, timing anomalies, or successful execution indicators when payloads are sent to endpoints consuming viewstate, session cookies, or custom binary formats. For example, if an endpoint reflects deserialization errors in HTTP 500 responses or behaves differently when a malicious __VIEWSTATE is submitted, middleBrick flags this as a potential insecure deserialization finding under the 'Input Validation' or 'Data Exposure' categories, providing the exact payload and remediation guidance in its report.
Aspnet-Specific Remediation
Fixing insecure deserialization in Aspnet involves eliminating unsafe deserializers and implementing strict type validation. Replace BinaryFormatter with System.Text.Json.JsonSerializer or XmlSerializer and disable type name handling. For ViewState in Web Forms, enable ViewStateUserKey and enableViewStateMac=\
Frequently Asked Questions
Can enabling ViewState MAC alone prevent insecure deserialization attacks in Aspnet Web Forms?
enableViewStateMac="true") prevents tampering but does not stop deserialization of malicious ViewState if the application uses a predictable or static validation key. An attacker who can predict or obtain the validation key (e.g., through machine key disclosure) can still craft valid ViewState payloads. True protection requires combining MAC with strong, unique keys per application and avoiding deserialization of user-controlled data into dangerous types—preferably by not using ViewState for sensitive state or upgrading to ASP.NET Core where ViewState is not used.Is <code>JsonSerializer.Deserialize<object>()</code> in ASP.NET Core inherently unsafe?
JsonSerializer.Deserialize<object>() is safe by default because it does not preserve CLR type information during deserialization. Risk arises only when TypeNameHandling is configured (via JsonSerializerOptions) to include type names, which is not the default behavior. Always avoid settings that allow type name injection unless absolutely necessary, and if used, restrict allowed types through a custom SerializationBinder equivalent in JSON serialization.