Resource files in ASP.NET applications are normally used for localisation. They can be used to store user interface objects or strings that can be painlessly translated into other languages [1]. These resource files use the .resx extension. A .resx file can also be compiled to be consumed by an application; in this case, it uses the .resources extension.
These resource files are in XML format but they can contain serialized objects. Binary objects can be serialized and stored in base64 encoded format within the .resx files. Resources support BinaryFormatter, SoapFormatter, and TypeConverters, which can all be abused to deserialise unsafe objects or to load external files. More information from Microsoft about the resource files can be read online [2][3].
Although deserialisation issues within .resx files have been mentioned in the past [4], I am not aware that it has ever been discussed in detail. This blog post therefore aims to discuss this attack vector in more detail to increase awareness of it.
The identified issues used during this research were inspired by the whitepaper written by Alvaro Muñoz and Oleksandr Mirosh, Friday the 13th JSON Attacks [5].
文章圖片來源:https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/
前言引用來源:https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/
-------------------
如果你認同支持我們每日分享的文章的話,請幫我們按個讚並且點擊追蹤「搶先看」,這樣就可以快速獲得最新消息囉!
您的分享及點讚,是我們最大的動力來源。
https://www.facebook.com/LonelyPoPo/
