These attacks include serialization exploits of platforms that don't use well-known .NET serializers, "mutation" attacks that can exploit deserialization even when the serialized data cannot be tampered with, and techniques for bypassing serialization binders. New remote code execution vulnerabilities in MongoDB, LiteDB, ServiceStack.Redis, RavenDB, MartenDB, JSON.Net and the .NET JavaScriptSerializer are all demonstrated.

Because these attacks violate typical assumptions regarding serializer security, applications that use these platforms and technologies are very likely to be vulnerable. Mitigations made to the vulnerable platforms discussed in this talk are limited, and application-level fixes will still be required in many cases. This talk describes techniques to detect and mitigate these vulnerabilities, along with best practices for avoiding them.