Why is this an issue?

During the deserialization process, the state of an object will be reconstructed from the serialized data stream which can contain dangerous operations.

For example, a well-known attack vector consists in serializing an object of type TempFileCollection with arbitrary files (defined by an attacker) which will be deleted on the application deserializing this object (when the finalize() method of the TempFileCollection object is called). This kind of types are called "gadgets".

Instead of using BinaryFormatter and similar serializers, it is recommended to use safer alternatives in most of the cases, such as XmlSerializer or DataContractSerializer. If it’s not possible then try to mitigate the risk by restricting the types allowed to be deserialized:

• by implementing an "allow-list" of types, but keep in mind that novel dangerous types are regularly discovered and this protection could be insufficient over time.
• or/and implementing a tamper protection, such as message authentication codes (MAC). This way only objects serialized with the correct MAC hash will be deserialized.

Noncompliant code example

For BinaryFormatter, NetDataContractSerializer, SoapFormatter serializers:

Dim myBinaryFormatter = New BinaryFormatter()
myBinaryFormatter.Deserialize(stream) ' Noncompliant: a binder is not used to limit types during deserialization

JavaScriptSerializer should not use SimpleTypeResolver or other weak resolvers:

Dim serializer1 As JavaScriptSerializer = New JavaScriptSerializer(New SimpleTypeResolver()) ' Noncompliant: SimpleTypeResolver is unsecure (every types is resolved)
serializer1.Deserialize(Of ExpectedType)(json)

LosFormatter should not be used without MAC verification:

Dim formatter As LosFormatter = New LosFormatter() ' Noncompliant
formatter.Deserialize(fs)

Compliant solution

BinaryFormatter, NetDataContractSerializer , SoapFormatter serializers should use a binder implementing a whitelist approach to limit types during deserialization (at least one exception should be thrown or a null value returned):

NotInheritable Class CustomBinder
    Inherits SerializationBinder
    Public Overrides Function BindToType(assemblyName As String, typeName As String) As Type
        If Not (Equals(typeName, "type1") OrElse Equals(typeName, "type2") OrElse Equals(typeName, "type3")) Then
            Throw New SerializationException("Only type1, type2 and type3 are allowed") ' Compliant
        End If
        Return Assembly.Load(assemblyName).[GetType](typeName)
    End Function
End Class

Dim myBinaryFormatter = New BinaryFormatter()
myBinaryFormatter.Binder = New CustomBinder()
myBinaryFormatter.Deserialize(stream)

JavaScriptSerializer should use a resolver implementing a whitelist to limit types during deserialization (at least one exception should be thrown or a null value returned):

Public Class CustomSafeTypeResolver
    Inherits JavaScriptTypeResolver
    Public Overrides Function ResolveType(id As String) As Type
        If Not Equals(id, "ExpectedType") Then
            Throw New ArgumentNullException("Only ExpectedType is allowed during deserialization") ' Compliant
        End If
        Return Type.[GetType](id)
    End Function
End Class

Dim serializer As JavaScriptSerializer = New JavaScriptSerializer(New CustomSafeTypeResolver()) ' Compliant
serializer.Deserialize(Of ExpectedType)(json)

LosFormatter serializer with MAC verification:

Dim formatter As LosFormatter = New LosFormatter(True, secret) ' Compliant
formatter.Deserialize(fs)

Resources

• OWASP Top 10 2021 Category A8 - Software and Data Integrity Failures
• docs.microsoft.com - BinaryFormatter security guide
• OWASP Top 10 2017 Category A8 - Insecure Deserialization
• MITRE, CWE-134 - Use of Externally-Controlled Format String
• MITRE, CWE-502 - Deserialization of Untrusted Data
• SANS Top 25 - Risky Resource Management
• OWASP Deserialization Cheat Sheet