OWASP - Unsafe Deserialization解法思考
===============================
1. 正則表達式Regex.Match 過濾
2. 將傳回值 Deserialize成JArray物件,再逐一取JObjet之欄位值,組回原格式
3. 加入判斷 if((this.ui_hidMassageInfos.Value.StartsWith("[") && this.ui_hidMassageInfos.Value.EndsWith("]")) ||
(this.ui_hidMassageInfos.Value.StartsWith("{") && this.ui_hidMassageInfos.Value.EndsWith("}")))
4. Deserialize加一個Setting參數 new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.None });
5. 將前端輸入字串加密為base64字串,再到後端解密
===================================
上述這5個方法對 Unsafe Deserialization 此 弱點無解
No comments:
Post a Comment