Use of Deserialisation in .NET Framework Methods and Classes
These days it is quite common to see a deserialisation flaw in a product. Although awareness around finding and exploiting this type of vulnerability is out there for security researchers, developers can still struggle with securing their code especially when they are not fully aware of dangerous methods and functionalities that require safeguarding.
It is therefore important for developers, as well as security researchers, to understand where and how deserialisation functionality is used. Although it might be relatively easy to find an in-house written function that uses deserialisation, it is sometimes harder to know whether underlying functionality in a used library uses deserialisation. We have performed an initial research to identify potentially sensitive functionality in the .NET Framework 4.7.2 that uses deserialisation that can potentially come in handy for source code reviewers.