Skip to content

Latest commit

 

History

History
59 lines (48 loc) · 5.76 KB

attack-tree.md

File metadata and controls

59 lines (48 loc) · 5.76 KB

Attack Tree Analysis for jamesnk/newtonsoft.json

Objective: To achieve Remote Code Execution (RCE) or cause a Denial of Service (DoS) on an application using Newtonsoft.Json, leveraging vulnerabilities within the library.

Attack Tree Visualization

Compromise Application using Newtonsoft.Json | --> Achieve Remote Code Execution (RCE) | | | --> Type Handling Vulnerabilities [HIGH RISK] | | | --> TypeNameHandling.All [CRITICAL] [HIGH RISK] | --> $type Property [HIGH RISK] | --> No Type Validation (Application-Level) [HIGH RISK] | --> Known Vulnerable Type [HIGH RISK] | --> Cause Denial of Service (DoS) | --> Resource Exhaustion | --> Large Payload [HIGH RISK]

Attack Tree Path: Achieve Remote Code Execution (RCE)

  • Type Handling Vulnerabilities [HIGH RISK]: This is the most dangerous area of attack, focusing on how Json.NET handles type information during deserialization.

    • TypeNameHandling.All [CRITICAL] [HIGH RISK]:

      • Description: This setting instructs Json.NET to deserialize objects based on type information provided within the JSON payload itself (using the $type property). It allows the attacker to specify any .NET type.
      • Why it's Critical/High-Risk: This is the most dangerous setting because it gives the attacker complete control over the types being instantiated. It's almost a guaranteed path to RCE if untrusted data is deserialized.
      • Exploitation: The attacker crafts a JSON payload with the $type property set to a malicious type (e.g., a type that executes code in its constructor, OnDeserialized method, or through a gadget chain).
      • Mitigation: Never use TypeNameHandling.All with untrusted data. Use TypeNameHandling.None or a custom SerializationBinder.

    • $type Property [HIGH RISK]:

      • Description: This is the JSON property used to specify the type to be deserialized when TypeNameHandling is enabled (even with settings other than All).
      • Why it's High-Risk: Even with more restrictive TypeNameHandling settings, manipulating the $type property can still lead to RCE if the application doesn't perform its own type validation or if a bypass for the Json.NET security checks is found.
      • Exploitation: The attacker crafts a JSON payload, manipulating the $type property to point to a vulnerable type, even if it's not explicitly allowed by the TypeNameHandling setting (e.g., exploiting a known gadget chain or a type with a dangerous deserialization callback).
      • Mitigation: Use a custom SerializationBinder to strictly control allowed types. Implement thorough application-level type validation after deserialization.

    • No Type Validation (Application-Level) [HIGH RISK]:

      • Description: This refers to the situation where the application deserializes JSON data without performing its own checks on the resulting object types. It relies solely on Json.NET's settings.
      • Why it's High-Risk: Even if TypeNameHandling is set to a safer value (like None or Objects), vulnerabilities can still exist. Attackers might exploit type converters, custom deserialization logic, or other subtle weaknesses. Without application-level checks, these vulnerabilities can lead to RCE.
      • Exploitation: The attacker crafts a JSON payload that, while not necessarily specifying a malicious type directly (via $type), results in the instantiation of an object that can be used to execute code (e.g., a type with a vulnerable property setter or a type that triggers dangerous behavior when certain methods are called).
      • Mitigation: Always perform thorough type validation after deserialization. Check that the deserialized objects are of the expected types and that their properties have safe values.

    • Known Vulnerable Type [HIGH RISK]:

      • Description: This refers to exploiting a type that is known to be vulnerable in a specific version of Json.NET (or a related library). These vulnerabilities are often documented in CVEs (Common Vulnerabilities and Exposures).
      • Why it's High-Risk: Exploits for known vulnerabilities are often publicly available, making them easy to use. If an application uses a vulnerable version and doesn't mitigate the specific vulnerability, it's highly susceptible.
      • Exploitation: The attacker uses a publicly available exploit or crafts a payload based on the known vulnerability details. The payload will typically include the $type property set to the vulnerable type.
      • Mitigation: Keep Newtonsoft.Json updated to the latest version. Monitor for CVEs related to Json.NET and apply patches promptly. Use a custom SerializationBinder to prevent deserialization of known vulnerable types, even if the library is not yet patched.

Attack Tree Path: Cause Denial of Service (DoS)

  • Resource Exhaustion
    • Large Payload [HIGH RISK]:
      • Description: Sending a very large JSON payload to the server.
      • Why it's High-Risk: This is a simple and effective DoS attack. It requires minimal effort and can easily overwhelm server resources (memory, CPU).
      • Exploitation: The attacker sends a very large JSON file (e.g., several gigabytes) to the application's endpoint that handles JSON input.
      • Mitigation: Implement strict limits on the size of JSON payloads that the application will accept. Use input validation to reject excessively large requests.