CWE-502: Deserialization of Untrusted Data #1791

edcararo · 2020-08-28T18:48:27Z

edcararo
Aug 28, 2020

We have recently been scanned for security vulnerabilities and the report came back with CWE-502: Deserialization of Untrusted Data.
I couldn't find anything in the forum on how csla.net was handling this .net vulnerability.
We've already implemented a white list approach to mitigate the problem, but the security firm was still able to penetrate mocking a type used by our program.
Have anybody dealt with this problem before? What approaches have you done?
Thanks

Answered by rockfordlhotka

Aug 31, 2020

Although CSLA still supports the BinaryFormatter, I generally recommend using MobileFormatter. Partly because Microsoft recommends against BinaryFormatter for external data transfer (or any transfer really), and party because we've worked hard to optimize MobileFormatter for CSLA and I think, in most cases, it does a better job.

View full answer

BlagoCuljak · 2020-08-28T19:04:19Z

BlagoCuljak
Aug 28, 2020

Do you use Binary or Mobile formatter? And CSLA version?

https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide

0 replies

edcararo · 2020-08-28T23:48:41Z

edcararo
Aug 28, 2020
Author

The version is old csla 3.5.1 and the webserviceportal uses BinaryFormatter. In the past, when we tried to upgrade to newer versions of Csla, the breakage was too intense, hence we left alone since everything was working properly.

…

On Fri, Aug 28, 2020 at 3:04 PM BlagoCuljak ***@***.***> wrote: Do you use Binary or Mobile formater? And CSLA version? https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#1791 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALZASULGYRY6WMP4O47H5P3SC75UBANCNFSM4QONIQNA> .

1 reply

BlagoCuljak Aug 29, 2020

Sometimes paying tehnological debt is huge task, and dealing with debt, can break entire project.

We spent 3 months in first corona wave, Mar-Jun, paying all sort of debt.

With good planning and some consultant work, maybe from Marimer, you should be able to upgrade. It's not going to get any better with time...

rockfordlhotka · 2020-08-31T14:02:44Z

rockfordlhotka
Aug 31, 2020
Maintainer

Although CSLA still supports the BinaryFormatter, I generally recommend using MobileFormatter. Partly because Microsoft recommends against BinaryFormatter for external data transfer (or any transfer really), and party because we've worked hard to optimize MobileFormatter for CSLA and I think, in most cases, it does a better job.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

CWE-502: Deserialization of Untrusted Data #1791

Uh oh!

{{title}}

Uh oh!

Replies: 3 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

CWE-502: Deserialization of Untrusted Data #1791

Uh oh!

edcararo Aug 28, 2020

Replies: 3 comments · 1 reply

Uh oh!

Uh oh!

BlagoCuljak Aug 28, 2020

Uh oh!

edcararo Aug 28, 2020 Author

Uh oh!

BlagoCuljak Aug 29, 2020

Uh oh!

rockfordlhotka Aug 31, 2020 Maintainer

edcararo
Aug 28, 2020

Replies: 3 comments 1 reply

BlagoCuljak
Aug 28, 2020

edcararo
Aug 28, 2020
Author

rockfordlhotka
Aug 31, 2020
Maintainer