14

The recently exposed security vulnerabilities regarding serialization in .NET have ambiguous recommendations. What is the correct way to securely use JSON.NET?

Detailed guidance for JSON.NET: https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf#page=5

Should TypeNameHandling.All be used or should TypeNameHandling.None be used?

General Explanation: https://www.bleepingcomputer.com/news/security/severe-deserialization-issues-also-affect-net-not-just-java/

KPHutt
  • 303
  • 1
  • 3
  • 9
  • 1
    Related: [TypeNameHandling caution in Newtonsoft Json](https://stackoverflow.com/q/39565954/3744182). – dbc Aug 14 '17 at 16:26

1 Answers1

10

Well appears the answer is right in front of me in the documentation:

"Incoming types should be validated with a custom SerializationBinder when deserializing with a value other than None."

KPHutt
  • 303
  • 1
  • 3
  • 9