Second Breakfast: Implicit and Mutation-Based Serialization Vulnerabilities in .NET - Jonathan Birch

This talk was recorded at NDC Security in Oslo, Norway. #ndcsecurity #ndcconferences #security #developer #softwaredeveloper Attend the next NDC conference near you: https://ndcconferences.com https://ndc-security.com/ Subscribe to our YouTube channel and learn every day: /@NDC Follow our Social Media! https://www.facebook.com/ndcconferences https://twitter.com/NDC_Conferences https://www.instagram.com/ndc_conferences/ This talk describes novel attacks against .NET serialization that bypass current state-of-the-art mitigations. These attacks include serialization exploits of platforms that don't use well-known .NET serializers, "mutation" attacks that can exploit deserialization even when the serialized data cannot be tampered with, and techniques for bypassing serialization binders. New remote code execution vulnerabilities in MongoDB, LiteDB, ServiceStack.Redis, RavenDB, MartenDB, JSON.Net and the .NET JavaScriptSerializer are all demonstrated. Because these attacks violate typical assumptions regarding serializer security, applications that use these platforms and technologies are very likely to be vulnerable. Mitigations made to the vulnerable platforms discussed in this talk are limited, and application-level fixes will still be required in many cases. This talk describes techniques to detect and mitigate these vulnerabilities, along with best practices for avoiding them.