You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I wanted to edit the user config and I was shocked to find binary data instead of simple text for a settings file. When I dug further I found that the use of BinaryFormatter makes this application totally unsafe to use.
That's two clear reasons to stop using BinaryFormatter for settings. I would recommend using something that the user can edit, like JSON or XML. This will make maintaining settings much easier and more secure.
The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure.
An attacker who successfully leverages these vulnerabilities against an app can cause denial of service (DoS), information disclosure, or remote code execution inside the target app. This risk category consistently makes the OWASP Top 10. Targets include apps written in a variety of languages, including C/C++, Java, and C#.
In .NET, the biggest risk target is apps that use the BinaryFormatter type to deserialize data.
I wanted to edit the user config and I was shocked to find binary data instead of simple text for a settings file. When I dug further I found that the use of
BinaryFormattermakes this application totally unsafe to use.That's two clear reasons to stop using BinaryFormatter for settings. I would recommend using something that the user can edit, like JSON or XML. This will make maintaining settings much easier and more secure.
SOURCE: https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide
The text was updated successfully, but these errors were encountered: