If so, click to download 15 days full version for free!
From early Remote Method Invocation (RMI) or CORBA implementations, Serialization/Deserialization is a key mechanism used for transferring a code state from one end to another. Serialization/Deserialization happens both in-process, inter-process and inter-network communications between same or different frameworks.
There are APIs which can deserialize already serialized class instances such as below;
XmlSerializer serializer = new XmlSerializer(typeof(OrderedItem)); FileStream fs = new FileStream(userInputFileName, FileMode.OpenOrCreate); TextReader reader = new StreamReader(fs); OrderedItem i = (OrderedItem) serializer.Deserialize(reader); i.Register();
The code above reads a user inputted file and deserialize the type instance and executes its Register method. Since System.XML.Serialization.XMLSerializer class can only serialize simple public types the risk is low, however, deserializing a string that goes to a dangerous sink in Register method might allow an attacker to pull a successful hack.
If so, click to buy now for yearly subscriptions!