Friday, 31 May 2024

OWASP - Unsafe Deserialization

 OWASP - Unsafe Deserialization解法思考

===============================


1. 正則表達式Regex.Match 過濾

2. 將傳回值 Deserialize成JArray物件,再逐一取JObjet之欄位值,組回原格式

3. 加入判斷 if((this.ui_hidMassageInfos.Value.StartsWith("[") && this.ui_hidMassageInfos.Value.EndsWith("]")) ||

(this.ui_hidMassageInfos.Value.StartsWith("{") && this.ui_hidMassageInfos.Value.EndsWith("}")))

4. Deserialize加一個Setting參數 new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.None });

5. 將前端輸入字串加密為base64字串,再到後端解密

===================================

上述這5個方法對 Unsafe Deserialization 此 弱點無解

No comments:

Post a Comment

IIS HTTP Error 403.18

 HTTP Error 403.18 - Forbidden The specified request cannot be processed in the application pool that is configured for this resource on the...