insecure-deserializers-fixes-for-always-insecure-deserializers.md

author	ms.author	ms.date	ms.topic
dotpaul	paulming	05/01/2019	include

• If possible, use a secure serializer instead, and don't allow an attacker to specify an arbitrary type to deserialize. Some safer serializers include:

  • xref:System.Runtime.Serialization.DataContractSerializer?displayProperty=nameWithType
  • xref:System.Runtime.Serialization.Json.DataContractJsonSerializer?displayProperty=nameWithType
  • xref:System.Web.Script.Serialization.JavaScriptSerializer?displayProperty=nameWithType - Never use xref:System.Web.Script.Serialization.SimpleTypeResolver?displayProperty=nameWithType. If you must use a type resolver, restrict deserialized types to an expected list.
  • xref:System.Xml.Serialization.XmlSerializer?displayProperty=nameWithType
  • Newtonsoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
  • Protocol Buffers

• Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.