歡迎光臨
我們一直在努力

ASP.NET resource files (.RESX) and deserialisation issues

原文出處:https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/

Resource files in ASP.NET applications are normally used for localisation. They can be used to store user interface objects or strings that can be painlessly translated into other languages [1]. These resource files use the .resx extension. A .resx file can also be compiled to be consumed by an application; in this case, it uses the .resources extension.

These resource files are in XML format but they can contain serialized objects. Binary objects can be serialized and stored in base64 encoded format within the .resx files. Resources support BinaryFormatterSoapFormatter, and TypeConverters, which can all be abused to deserialise unsafe objects or to load external files. More information from Microsoft about the resource files can be read online [2][3].

Although deserialisation issues within .resx files have been mentioned in the past [4], I am not aware that it has ever been discussed in detail. This blog post therefore aims to discuss this attack vector in more detail to increase awareness of it.

The identified issues used during this research were inspired by the whitepaper written by Alvaro Muñoz and Oleksandr Mirosh, Friday the 13th JSON Attacks [5].

文章圖片來源:https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/
前言引用來源:https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/

-------------------
如果你認同支持我們每日分享的文章的話,請幫我們按個讚並且點擊追蹤「搶先看」,這樣就可以快速獲得最新消息囉!
您的分享及點讚,是我們最大的動力來源。
https://www.facebook.com/LonelyPoPo/

贊(0) 打賞
轉載請附上作者連結:波波的寂寞世界 » ASP.NET resource files (.RESX) and deserialisation issues

波波的寂寞世界

Facebook聯繫我們

覺得文章有用,請作者喝杯咖啡

掃一掃打賞作者狗糧