Implicit and Mutation-Based Serialization Vulnerabilities in .NET

Explore novel attacks against .NET serialization that bypass current state-of-the-art mitigations in this 44-minute conference talk from NDC Security in Oslo, Norway. Delve into serialization exploits of platforms not using well-known .NET serializers, "mutation" attacks exploiting deserialization even with untampered serialized data, and techniques for bypassing serialization binders. Witness demonstrations of new remote code execution vulnerabilities in MongoDB, LiteDB, ServiceStack.Redis, RavenDB, MartenDB, JSON.Net, and the .NET JavaScriptSerializer. Learn why applications using these platforms and technologies are likely vulnerable due to violations of typical serializer security assumptions. Discover techniques for detecting and mitigating these vulnerabilities, along with best practices for avoidance, as limited platform-level fixes often require additional application-level security measures.

Second Breakfast: Implicit and Mutation-Based Serialization Vulnerabilities in .NET - Jonathan Birch