Newtonsoft JSON.NET安全漏洞实现 [英] Newtonsoft JSON.NET Security Vulnerability Implementation

问题描述

最近暴露的有关.NET中序列化的安全漏洞有含糊的建议. 安全使用JSON.NET的正确方法是什么?

The recently exposed security vulnerabilities regarding serialization in .NET have ambiguous recommendations. What is the correct way to securely use JSON.NET?

关于JSON.NET的详细指南: https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf #page = 5

Detailed guidance for JSON.NET: https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf#page=5

应该使用 TypeNameHandling.All ，还是应该使用 TypeNameHandling.None ?

Should TypeNameHandling.All be used or should TypeNameHandling.None be used?

一般说明: https://www.bleepingcomputer.com/news/security/severe-deserialization-issues-also-affect-net-not-just-java/

推荐答案

在反序列化除None以外的其他值时，应使用自定义的SerializationBinder验证传入的类型."

"Incoming types should be validated with a custom SerializationBinder when deserializing with a value other than None."

这篇关于Newtonsoft JSON.NET安全漏洞实现的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！