From 4163f45290267ce43c465a902b43c254d3ffddb3 Mon Sep 17 00:00:00 2001 From: Robert Burns Date: Thu, 8 Aug 2024 04:24:55 -0400 Subject: [PATCH] Fix spelling errors in Deserialization_Cheat_Sheet (#1465) --- cheatsheets/Deserialization_Cheat_Sheet.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cheatsheets/Deserialization_Cheat_Sheet.md b/cheatsheets/Deserialization_Cheat_Sheet.md index 6035fa69c5..f5fbffdf42 100644 --- a/cheatsheets/Deserialization_Cheat_Sheet.md +++ b/cheatsheets/Deserialization_Cheat_Sheet.md @@ -10,7 +10,7 @@ This article is focused on providing clear, actionable guidance for safely deser **Deserialization** is the reverse of that process, taking data structured in some format, and rebuilding it into an object. Today, the most popular data format for serializing data is JSON. Before that, it was XML. -However, many programming languages have native ways to serialize objects. These native formats usually offer more features than JSON or XML, including customizability of the serialization process. +However, many programming languages have native ways to serialize objects. These native formats usually offer more features than JSON or XML, including customization of the serialization process. Unfortunately, the features of these native deserialization mechanisms can sometimes be repurposed for malicious effect when operating on untrusted data. Attacks against deserializers have been found to allow denial-of-service, access control, or remote code execution (RCE) attacks. @@ -268,7 +268,7 @@ TypeNameHandling = TypeNameHandling.None If `JavaScriptSerializer` is to be used then do not use it with a `JavaScriptTypeResolver`. -If you must deserialise data streams that define their own type, then restrict the types that are allowed to be deserialized. One should be aware that this is still risky as many native .Net types potentially dangerous in themselves. e.g. +If you must deserialize data streams that define their own type, then restrict the types that are allowed to be deserialized. One should be aware that this is still risky as many native .Net types potentially dangerous in themselves. e.g. ```csharp System.IO.FileInfo @@ -276,7 +276,7 @@ System.IO.FileInfo `FileInfo` objects that reference files actually on the server can when deserialized, change the properties of those files e.g. to read-only, creating a potential denial of service attack. -Even if you have limited the types that can be deserialised remember that some types have properties that are risky. `System.ComponentModel.DataAnnotations.ValidationException`, for example has a property `Value` of type `Object`. if this type is the type allowed for deserialization then an attacker can set the `Value` property to any object type they choose. +Even if you have limited the types that can be deserialized remember that some types have properties that are risky. `System.ComponentModel.DataAnnotations.ValidationException`, for example has a property `Value` of type `Object`. if this type is the type allowed for deserialization then an attacker can set the `Value` property to any object type they choose. Attackers should be prevented from steering the type that will be instantiated. If this is possible then even `DataContractSerializer` or `XmlSerializer` can be subverted e.g.