How Can I Securely Handle TypeNameHandling in Newtonsoft Json to Prevent Deserialization Attacks?

Typenamehandling

In the process of JSON serialization and derivativeization, it is essential to handle TypenameHandling carefully, especially when processing external data sources.

TypenameHandling.all Although it facilitates the type inference in the process of deepericularization, there is also a security risk. When the device is from JSON, which is not trusted, this setting allows NewTonsoft JSON to create an instance specified in the designated metadata.

Potential danger:

The attacker can send a malicious JSON containing the $ Type attribute. This attribute can reference the type of destructive, such as System.codedom.comPiler.tempfileCollection. This type can automatically delete files on the victim's system during garbage recycling, thereby endangering file integrity.

Example:

Considering the following malicious JSON effective load:

If you discern this JSON without appropriate security measures, instantiated TempfileCollection type and try to delete files according to the specified parameter.

Relieve measures:

<code class="language-json">{
   "$type": "System.CodeDom.Compiler.TempFileCollection",
   "BasePath": "%SYSTEMDRIVE%",
   "KeepFiles": "False",
   "TempDir": "%SYSTEMROOT%"
}</code>

In order to reduce this risk, when using the TypenameHandling.all back -sequentialization, a customized service -verified type must be used to verify the type transmitted. This binder can verify the safety of the type referenced before constructing an instance.

The above is the detailed content of How Can I Securely Handle TypeNameHandling in Newtonsoft Json to Prevent Deserialization Attacks?. For more information, please follow other related articles on the PHP Chinese website!