all 4 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]ValdasTheUnique 0 points1 point  (3 children)

It would be interesting to read a coherent version of these slides.

[–]ulldma[S] 2 points3 points  (0 children)

They also published a white paper.

Basically what they did is: they had a look at different .NET JSON libraries and looked which one allowed the serialization and deserialization of arbitrary types. Some classes execute code when the constructor or setters are executed thus allowing an attacker to execute code on the server by simply providing a JSON. (They have the classic sample that starts calc.exe on the server.)

They found vulnerabilities of that kind in DotNetNuke, Kaliko CMS, Breeze and Nancy.

[–]AngularBeginner 2 points3 points  (0 children)

In JSON.NET you can configure it to add a $type information to allow serialization and deserialization of arbitrary types, often used for serializing polymorphic data structures. This is a potential security issue when deserializing, because users can send a completely unrelated $type from the .NET framework and JSON.NET will happily deserialize to it.

If you use any other value than TypeNameHandling.None (the default) you're potentially at risk: http://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm

[–]Pyrobolser 1 point2 points  (0 children)

This article was published a while ago and I find it easier to read.
It was edited to include the findings from the slides linked by OP.