Resource files in ASP.NET applications are normally used for localisation. They can be used to store user interface objects or strings that can be painlessly translated into other languages . These resource files use the
.resx extension. A
.resx file can also be compiled to be consumed by an application; in this case, it uses the
These resource files are in XML format but they can contain serialized objects. Binary objects can be serialized and stored in base64 encoded format within the
.resx files. Resources support
TypeConverters, which can all be abused to deserialise unsafe objects or to load external files. More information from Microsoft about the resource files can be read online .
Although deserialisation issues within
.resx files have been mentioned in the past , I am not aware that it has ever been discussed in detail. This blog post therefore aims to discuss this attack vector in more detail to increase awareness of it.
The identified issues used during this research were inspired by the whitepaper written by Alvaro Muñoz and Oleksandr Mirosh, Friday the 13th JSON Attacks .