Module Deserializers
Provides a library of known unsafe deserializers. See https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf.
Import path
import semmle.code.csharp.serialization.Deserializers
Classes
ActivityLoadMethod |
|
BinaryFormatterDeserializeMethod |
|
BinaryFormatterUnsafeDeserializeMethod |
|
BinaryFormatterUnsafeDeserializeMethodResponseMethod |
|
BinaryMessageFormatterReadMethod |
|
CsPicklerSerializerClassDeserializeMethod |
|
CsPicklerSerializerClassUnPickleMethod |
|
CsPicklerSerializerClassUnPickleOfStringMethod |
|
DataContractJsonSerializerClass | DataContractJsonSerializer |
DataContractJsonSerializerReadObjectMethod |
|
DataContractSerializerClass | DataContractSerializer |
DataContractSerializerReadObjectMethod |
|
FastJsonClassToObjectMethod |
|
FsPicklerSerializerClasDeserializeSiftedMethod |
|
FsPicklerSerializerClassDeserializeMethod |
|
FsPicklerSerializerClassDeserializeSequenceMethod |
|
FsPicklerSerializerClassDeserializeSequenceUntypedMethod |
|
FsPicklerSerializerClassDeserializeUntypedMethod |
|
FsPicklerSerializerClassUnPickleMethod |
|
FsPicklerSerializerClassUnPickleSiftedMethod |
|
FsPicklerSerializerClassUnPickleUntypedMethod |
|
JavaScriptSerializerClass | JavaScriptSerializer |
JavaScriptSerializerClassDeserializeMethod |
|
JavaScriptSerializerClassDeserializeObjectMethod |
|
JaysonConverterToObjectMethod |
|
LosFormatterDeserializeMethod |
|
NetDataContractSerializerClass | NetDataContractSerializer |
NetDataContractSerializerDeserializeMethod |
|
NetDataContractSerializerReadObjectMethod |
|
NewtonsoftJsonConvertClassDeserializeObjectMethod |
|
ObjectStateFormatterDeserializeMethod |
|
ProxyObjectDecodeSerializedObjectMethod |
|
ProxyObjectDecodeValueMethod |
|
ResourceReaderConstructor |
|
ServiceStackTextCsvSerializerDeserializeFromReaderMethod |
|
ServiceStackTextCsvSerializerDeserializeFromStreamMethod |
|
ServiceStackTextCsvSerializerDeserializeFromStringMethod |
|
ServiceStackTextJsonSerializerDeserializeFromReaderMethod |
|
ServiceStackTextJsonSerializerDeserializeFromStreamMethod |
|
ServiceStackTextJsonSerializerDeserializeFromStringMethod |
|
ServiceStackTextTypeSerializerDeserializeFromReaderMethod |
|
ServiceStackTextTypeSerializerDeserializeFromStreamMethod |
|
ServiceStackTextTypeSerializerDeserializeFromStringMethod |
|
ServiceStackTextXmlSerializerDeserializeFromReaderMethod |
|
ServiceStackTextXmlSerializerDeserializeFromStreamMethod |
|
ServiceStackTextXmlSerializerDeserializeFromStringMethod |
|
SharpSerializerClassDeserializeMethod |
|
SoapFormatterDeserializeMethod |
|
StrongTypeDeserializer | A deserializer exploitable only if user controls the expected object type. |
UnsafeDeserializer | An unsafe deserializer. |
WeakTypeDeserializer | A deserializer that doesn’t make strong expected type check. |
XamlReaderLoadAsyncMethod |
|
XamlReaderLoadMethod |
|
XamlReaderParseMethod |
|
XmlMessageFormatterClass | XmlMessageFormatter |
XmlMessageFormatterReadMethod |
|
XmlObjectSerializerClass | XmlObjectSerializer |
XmlObjectSerializerReadObjectMethod |
|
XmlSerializerClass | XmlSerializer |
XmlSerializerDeserializeMethod |
|
YamlDotNetDeserializerClasseserializeMethod |
|