Friday, 31 May 2024

OWASP - Unsafe Deserialization

 OWASP - Unsafe Deserialization解法思考

===============================


1. 正則表達式Regex.Match 過濾

2. 將傳回值 Deserialize成JArray物件,再逐一取JObjet之欄位值,組回原格式

3. 加入判斷 if((this.ui_hidMassageInfos.Value.StartsWith("[") && this.ui_hidMassageInfos.Value.EndsWith("]")) ||

(this.ui_hidMassageInfos.Value.StartsWith("{") && this.ui_hidMassageInfos.Value.EndsWith("}")))

4. Deserialize加一個Setting參數 new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.None });

5. 將前端輸入字串加密為base64字串,再到後端解密

===================================

上述這5個方法對 Unsafe Deserialization 此 弱點無解

By -
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

聯邦數位帳戶NewNewBank推薦碼,15%高利息優惠

 好推分享!New New Bank數位帳戶【推薦開戶】台幣高利活儲、投資下單手續費優惠等超多好康,立即開戶: https://newnewbank.ubot.com.tw/web/#/S0101001?pm=3&ID=ZZIDIHI 透過上面連結開戶,你會享有一個月15...