ysoserial.net
Deserialization payload generator for a variety of .NET formatters (by pwntester)
JsonKnownTypes
Simple way to serialize and deserialize polymorphic types for Json.NET (by dmitry-bym)
Our great sponsors
ysoserial.net | JsonKnownTypes | |
---|---|---|
2 | 2 | |
3,025 | 41 | |
- | - | |
6.0 | 4.0 | |
7 months ago | 5 months ago | |
C# | C# | |
MIT License | MIT License |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
ysoserial.net
Posts with mentions or reviews of ysoserial.net.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2021-05-05.
-
Json locations
Any unchecked deserialization is dangerous - as you can see in this repo the same attack works on Json.NET, since you can inject a payload that performs arbitrary remote code execution.
-
Which data types are serializable by default in c sharp?
So if you have some type within your application that does something sensitive or disruptive in its constructor, an attacker can craft a stream of bytes that asks the application to create that type. From there, all kinds of crazy things can happen. Here's a privilege escalation exploit discovered in Docker for Windows that relied on BinaryFormatter. Digging into some things he mentioned I found an entire exploit suite for .NET serialization. Through very clever tricks, it creates types that, when deserialized, will execute commands. That's a big deal.
JsonKnownTypes
Posts with mentions or reviews of JsonKnownTypes.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2021-05-05.
- c# deserializing polymorphic json using json.net
-
Json locations
I'm using dual serialization for the heavily polymorphic data structures in my game - MessagePack with integer keys and union polymorphism for the wire format and local storage, and Json.NET with string keys and JsonKnownTypes polymorphism for debug output and long term persistence in RethinkDB. Here's what one of my simpler polymorphic data structures looks like. Lots of attributes but that's the price you pay I guess.
What are some alternatives?
When comparing ysoserial.net and JsonKnownTypes you can also consider the following projects:
MessagePack for C# (.NET, .NET Core, Unity, Xamarin) - Extremely Fast MessagePack Serializer for C#(.NET, .NET Core, Unity, Xamarin). / msgpack.org[C#]
JsonSubTypes - Discriminated Json Subtypes Converter implementation for .NET
Json.NET - Json.NET is a popular high-performance JSON framework for .NET
Aetheria-Economy - Sci-fi ARPG made in Unity
ServiceStack.Text - .NET's fastest JSON, JSV and CSV Text Serializers
Zorya - C# implementation of the variant type.
ysoserial.net vs MessagePack for C# (.NET, .NET Core, Unity, Xamarin)
JsonKnownTypes vs JsonSubTypes
ysoserial.net vs Json.NET
JsonKnownTypes vs MessagePack for C# (.NET, .NET Core, Unity, Xamarin)
ysoserial.net vs Aetheria-Economy
JsonKnownTypes vs ServiceStack.Text
JsonKnownTypes vs Json.NET
JsonKnownTypes vs Zorya