How to Check JSON Strings for Insecure Deserialization Attacks using Node.js

Cloudmersive
2 min readDec 27, 2023

--

Insecure deserialization once breached the OWASP top 10 ranking for application vulnerabilities. Even as we head into 2024, basic .NET applications are still at risk of being exploited through this attack vector.

Using the below code, we can take advantage of a free API that identifies insecure deserialization attempts in JSON strings. Though we may already have safety controls in our application to block untrustworthy data, we can still benefit from a service designed specifically to point out when JSON strings contain insecure content so we can track and log those threats.

We can begin structuring our API call by installing the SDK. We can either run this command:

npm install cloudmersive-security-api-client --save

Or we can add this snippet to our package.json:

  "dependencies": {
"cloudmersive-security-api-client": "^1.2.0"
}

Lastly, we can use the remaining code to call the function and return information on our input JSON string. To authorize our request, we’ll just need a free-tier API key, which will allow us to make up to 800 API calls per month (with no commitment):

var CloudmersiveSecurityApiClient = require('cloudmersive-security-api-client');
var defaultClient = CloudmersiveSecurityApiClient.ApiClient.instance;

// Configure API key authorization: Apikey
var Apikey = defaultClient.authentications['Apikey'];
Apikey.apiKey = 'YOUR API KEY';



var apiInstance = new CloudmersiveSecurityApiClient.ContentThreatDetectionApi();

var value = "value_example"; // String | User-facing text input.


var callback = function(error, data, response) {
if (error) {
console.error(error);
} else {
console.log('API called successfully. Returned data: ' + data);
}
};
apiInstance.contentThreatDetectionDetectInsecureDeserializationJsonString(value, callback);

Now we can easily identify and log any JSON insecure deserialization attempts that our application fields.

--

--

Cloudmersive
Cloudmersive

Written by Cloudmersive

There’s an API for that. Cloudmersive is a leader in Highly Scalable Cloud APIs.

No responses yet