Input Validation

Serialization Attacks

You can pass object parameters to remote components either by using the call context or by passing them through regular input parameters to the methods that are exposed by the remote component. It is possible for a malicious client to serialize an object and then pass it to a remote component with the explicit intention of tripping up the remote component or causing it to perform an unintended operation. Unless you can trust the client, you should carefully validate each field item in the deserialized object, because the object parameter is created on the server.

MarshalByRefObject Attacks

Objects that derive from System.MarshalByRefObject require a URL in order to make call backs to the client. It is possible for the callback URL to be spoofed so that the server connects to a different client computer, for example, a computer behind a firewall.

You can mitigate the risk of serialization and MarshalByRefObject attacks with version 1.1 of the .NET Framework by setting the typeFilterLevel attribute on the <formatter> element to Low . This instructs the .NET Framework remoting infrastructure to only serialize those objects it needs in order to perform the method invocation, and to reject any custom objects that support serialization that you create and put in the call context or pass as parameters. You can configure this setting in Web.config or programmatically as shown below.

 <formatter ref="binary" typeFilterLevel="Low" /> 

or

 BinaryServerFormatterSinkProvider provider = new BinaryServerFormatterSinkProvider(); provider.TypeFilterLevel = TypeFilterLevel.Low;