Friday the 13th JSON Attacks

[dungvu-novus]

I found the documents from HPE Software Security Research, that talk about a security issue with deserialization method. here all the copy paragraph (from page 5 of file).

FastJson includes type discriminators by default which allows attackers to send arbitrary types. It performs a weak type control by casting the deserialized object to the expected type when object has already been deserialized.
During deserialization, it will call:
• Setters
Should never be used with untrusted data since it cannot be configured in a secure way.

Link full document HERE

[dungvu-novus]

I found a warning from README.md:

Security Warning
It has come to my attention from the HP Enterprise Security Group that using the $type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe.

What i can do for this issue?

[dungvu-novus]

Parse this json maybe auto call the calculator app run:

{ "$type": "System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35", "MethodName": "Start", "MethodParameters": { "$type": "System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089", "$values": [ "cmd", "/ccalc" ] }, "ObjectInstance": { "$type": "System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" } }

[mgholam]

At the moment just make sure your json is from a trusted source when using the $type extensions.

[dungvu-novus]

But now I still facing with a security issue with this, I use the json library in server side and I can not ask my client do not send a msg without $type or reject it. And another side, I must use $type prop for polymorphic JSON serializer (that a reason I choose the lib).

I think we should add a solution for these soon.

[mgholam]

Check out v2.3.0

[dungvu-novus]

kindly thank you for support me