Deserialization of Untrusted Data
| Property | |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Using SoapFormatter for deserialization is insecure because it can execute malicious code embedded in untrusted input. Even if the data source appears safe, SoapFormatter cannot be made secure and should not be used.
Impact#
If exploited, an attacker could send specially crafted SOAP data to execute arbitrary code on your server, leading to data breaches, server takeover, or further internal attacks. This could result in severe compromise of application integrity and organizational security.