Spring4shell in Aspnet

Spring4shell is a deserialization vulnerability that affects Java-based Spring applications, allowing remote code execution through malicious object payloads. While Aspnet runs on .NET rather than Java, understanding Spring4shell helps Aspnet developers recognize similar deserialization patterns in their own applications.

In Aspnet applications, the equivalent vulnerability often manifests through:

• Improper handling of serialized objects in API endpoints
• Unsafe deserialization of JSON payloads without validation
• Using Type.GetType() with user-controlled input
• Reflection-based object instantiation from untrusted sources
• BinaryFormatter deserialization in legacy code

Consider this Aspnet vulnerability pattern that mirrors Spring4shell's exploitation vector:

public IActionResult ProcessData([FromBody] object data) {
    var type = Type.GetType(Request.Headers["X-Type"]);
    var instance = Activator.CreateInstance(type, data);
    return Ok(instance);
}

An attacker could send a request with a malicious type name, causing Aspnet to instantiate arbitrary classes and potentially execute code during construction. This mirrors Spring4shell's exploitation of Java's reflection and deserialization mechanisms.

Another common Aspnet pattern vulnerable to similar attacks:

public async Task<ActionResult> UploadFile(IFormFile file) {
    var content = await new StreamReader(file.OpenReadStream()).ReadToEndAsync();
    var deserialized = JsonConvert.DeserializeObject(content);
    return Ok(deserialized);
}

If the JSON contains type information or the application uses TypeNameHandling, this creates a deserialization vulnerability analogous to Spring4shell's object injection.

Detecting Spring4shell-like vulnerabilities in Aspnet requires examining both code patterns and runtime behavior. middleBrick's black-box scanning approach identifies these issues without requiring source code access:

Code Pattern Analysis

middleBrick scans for Aspnet-specific deserialization patterns including:

- Activator.CreateInstance with user input
- Type.GetType with request parameters
- BinaryFormatter usage
- JsonSerializer with TypeNameHandling
- Unsafe XML deserialization
- Dynamic object creation from user data

Runtime Testing

The scanner actively tests endpoints by sending crafted payloads that attempt to trigger deserialization vulnerabilities:

POST /api/ProcessData HTTP/1.1
Content-Type: application/json
X-Type: System.Diagnostics.ProcessStartInfo

{"FileName": "cmd.exe", "Arguments": "/c whoami"}

middleBrick Dashboard Findings

When scanning an Aspnet API, middleBrick provides:

• Security risk score (A-F) based on detected vulnerabilities
• Per-category breakdowns including Authentication, Input Validation, and Data Exposure
• Specific findings with severity levels (Critical/High/Medium/Low)
• Remediation guidance tailored to Aspnet patterns
• OpenAPI spec analysis showing where deserialization occurs

CLI Detection

Using the middleBrick CLI for Aspnet APIs:

middlebrick scan https://yourapi.com/api/ProcessData --format json

This returns detailed findings about deserialization vulnerabilities, including the specific Aspnet code patterns detected and their risk levels.

Securing Aspnet applications against Spring4shell-like vulnerabilities requires both immediate fixes and architectural changes. Here are Aspnet-specific remediation strategies:

Safe Deserialization Practices

Replace unsafe deserialization with type-safe alternatives:

// Unsafe - vulnerable to type injection
public IActionResult ProcessData([FromBody] object data) {
    return Ok(data);
}

Instead, use strongly-typed models:

// Safe - type-safe deserialization
public IActionResult ProcessData([FromBody] MySafeModel data) {
    if (!ModelState.IsValid) {
        return BadRequest(ModelState);
    }
    return Ok(ProcessDataSafely(data));
}

Input Validation and Type Safety

Implement strict type validation:

public IActionResult ProcessData([FromBody] MySafeModel data) {
    // Validate all properties
    if (string.IsNullOrEmpty(data?.Property1) ||
        data.Property2 < 0 || data.Property2 & gt; 100) {
        return BadRequest("Invalid input");
    }
    return Ok(ProcessDataSafely(data));
}

Reflection Security

Secure reflection-based code:

// Unsafe - allows arbitrary type creation
public IActionResult CreateInstance([FromQuery] string typeName) {
    var type = Type.GetType(typeName);
    return Ok(Activator.CreateInstance(type));
}

Replace with a whitelist approach:

// Safe - only allows specific types
private static readonly HashSet<string> AllowedTypes = new() {
    "MyApp.Models.SafeType1",
    "MyApp.Models.SafeType2"
};

JSON.NET Configuration

Configure JsonSerializer securely:

services.AddControllers().AddNewtonsoftJson(options => {
    options.SerializerSettings.TypeNameHandling = TypeNameHandling.None;
    options.SerializerSettings.MaxDepth = 32;
    options.SerializerSettings.CheckAdditionalContent = true;
});

BinaryFormatter Replacement

Replace BinaryFormatter with safer alternatives:

// Unsafe legacy code
var formatter = new BinaryFormatter();
var obj = formatter.Deserialize(stream);

Use System.Text.Json instead:

// Safe modern approach
var obj = await JsonSerializer.DeserializeAsync<MySafeType>(stream);

middleBrick Integration

Integrate middleBrick into your Aspnet CI/CD pipeline:

name: Security Scan
on: [push, pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: Run middleBrick scan
      run: middlebrick scan ${{ secrets.API_URL }} --fail-on-severity=high

This ensures Spring4shell-like vulnerabilities are caught before deployment.