JsonKnownTypes
Simple way to serialize and deserialize polymorphic types for Json.NET (by dmitry-bym)
ysoserial.net
Deserialization payload generator for a variety of .NET formatters (by pwntester)
JsonKnownTypes | ysoserial.net | |
---|---|---|
2 | 3 | |
41 | 3,033 | |
- | - | |
3.2 | 6.0 | |
12 days ago | 7 months ago | |
C# | C# | |
MIT License | MIT License |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
JsonKnownTypes
Posts with mentions or reviews of JsonKnownTypes.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2021-05-05.
- c# deserializing polymorphic json using json.net
-
Json locations
I'm using dual serialization for the heavily polymorphic data structures in my game - MessagePack with integer keys and union polymorphism for the wire format and local storage, and Json.NET with string keys and JsonKnownTypes polymorphism for debug output and long term persistence in RethinkDB. Here's what one of my simpler polymorphic data structures looks like. Lots of attributes but that's the price you pay I guess.
ysoserial.net
Posts with mentions or reviews of ysoserial.net.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2024-05-13.
-
Statement on CVE-2024-27322
I was thinking of BinaryFormatter and NetDataContractSerializer, etc. unsafe .NET object deserialization. I don't mean JSON that's right lmao
https://github.com/pwntester/ysoserial.net
-
Json locations
Any unchecked deserialization is dangerous - as you can see in this repo the same attack works on Json.NET, since you can inject a payload that performs arbitrary remote code execution.
-
Which data types are serializable by default in c sharp?
So if you have some type within your application that does something sensitive or disruptive in its constructor, an attacker can craft a stream of bytes that asks the application to create that type. From there, all kinds of crazy things can happen. Here's a privilege escalation exploit discovered in Docker for Windows that relied on BinaryFormatter. Digging into some things he mentioned I found an entire exploit suite for .NET serialization. Through very clever tricks, it creates types that, when deserialized, will execute commands. That's a big deal.
What are some alternatives?
When comparing JsonKnownTypes and ysoserial.net you can also consider the following projects:
JsonSubTypes - Discriminated Json Subtypes Converter implementation for .NET
MessagePack for C# (.NET, .NET Core, Unity, Xamarin) - Extremely Fast MessagePack Serializer for C#(.NET, .NET Core, Unity, Xamarin). / msgpack.org[C#]
Json.NET - Json.NET is a popular high-performance JSON framework for .NET
ServiceStack.Text - .NET's fastest JSON, JSV and CSV Text Serializers
Aetheria-Economy - Sci-fi ARPG made in Unity
Zorya - C# implementation of the variant type.
JsonKnownTypes vs JsonSubTypes
ysoserial.net vs MessagePack for C# (.NET, .NET Core, Unity, Xamarin)
JsonKnownTypes vs MessagePack for C# (.NET, .NET Core, Unity, Xamarin)
ysoserial.net vs Json.NET
JsonKnownTypes vs ServiceStack.Text
ysoserial.net vs Aetheria-Economy
JsonKnownTypes vs Json.NET
JsonKnownTypes vs Zorya