TypeNameHandling caution in Newtonsoft Json

Question

On this link, in remarks section it\'s mentioned that:

TypeNameHandling should be used with caution when your application deserializes JS

Answer 1

Some additional attack gadgets have been identified in Alvaro Muñoz & Oleksandr Mirosh's blackhat paper https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf. These are:

• System.Configuration.Install.AssemblyInstaller - Attack vector: execute payload on assembly load.

• System.Activities.Presentation.WorkflowDesigner - Attack vector: execute static method during parsing of Xaml payload.

• System.Windows.ResourceDictionary - Attack vector: an attacker sends payload with URL to controlled server, this server responds with Xaml payload and ContentType = application/xaml+xml and target server will execute desired static method during parsing of Xaml payload.

• System.Windows.Data.ObjectDataProvider - Attack vector: 1) call any method of unmarshaled object; 2) We can call parametrized constructor of desired type with controlled parameters; 3) call any public method including static ones with controlled parameters.

• System.Windows.Forms.BindingSource - Attack vector: arbitrary getter call.

• Microsoft.Exchange.Management.SystemManager.WinForms.ExchangeSettingsProvider - Attack vector: it allows jumping from setters to nested BinaryFormatter deserialization.

Note however that the attack gadget type must be compatible with (assignable to) the expected type being deserialized for the attack to succeed. This is always true when the expected type is object or dynamic and may be true in other situations. See External json vulnerable because of Json.Net TypeNameHandling auto? for details.