-
Notifications
You must be signed in to change notification settings - Fork 462
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JavascriptObjectDeserializer - question #23
Comments
JavascriptSerializer is only vulnerable if instantiated with a type resolver:
This is not frequent though so chances are that your target app is not vulnerable. If its using a type resolver, the JSON you are getting should have some Cheers |
Hi again, in the regular JSON Input Requests, there are "__type" attributes in the web applications response. So the webapp is definitely using a type resolver.. A regular requests has for example the following parameter: The response is as follows: |
Then it sounds like it could be vulnerable (if using the simpleTypeResolver and not a custom type resolver that does whitelist types). Unfortunately, from a blackbox perspective there is not a lot you can do to debug the problem. Some ideas:
|
Hi,
im having a question here instead of an issue.
im currently trying to exploit a potential Deserialisation vulnerability in a webapplication which is using JavascriptObjectDeserializer. I tried to exploit the vulnerability with the given JavascriptObjectDeserialize payload given here:
The Web application throws the following error:
No DNS-Lookup was executed here. Im just learning how to exploit deserialisation vulnerabilities but from my previous research, i estimate that the application no longer accepts the Object System.Windows.Data.ObjectDataProvider because it has been patched. Do I assume this correctly or should an RCE always be possible if the deserialization fails with an error message?
Unfortunately, I don't have access to source code (black box).
Thank you for your answers.
Greetings
The text was updated successfully, but these errors were encountered: