Fixing untrusted data deserialization
Missing type checks are not the only thing to look out for when it comes to deserialization—the data itself must be validated for its integrity.
Let's see in action how untrusted data deserialization can exploit our sample Online Banking web application.
Testing untrusted data deserialization
To test if our sample Online Banking web application is vulnerable to untrusted data deserialization, we follow these steps and use a tainted file:
- Navigate to Terminal | New Terminal in the menu or do this by simply pressing Ctrl + Shift + ' in VS Code.
- Type the following command in the terminal to build and run the sample app:
dotnet run
- Open a browser and go to
https://localhost:5001/Loans/Upload
. - Log in using the following credentials:
a) Email:
[email protected]
b) Password:
6GKqqtQQTii92ke!
- Once authenticated, you will be redirected to the Upload Loan Application page. This page will allow a loan officer...