Serialization Vulnerabilities with Razdex

Microsoft announced that the BinaryFormatter class is insecure and cannot be made secure, but how bad can it be?

How about a remote code execution exploit?

Join us at DC215 where you’ll see a demo of this attack and how it’s also exposed through JSON and Newtonsoft.

Demos and code samples are in C#, but this exploit is possible in any insecure deserialization process. By the end of this talk, you'll know what to look for in your code and how to prevent it. If you're a red teamer or pen tester you'll add another attack vector to your toolkit.