.NET Assembly & DLL Security

.NET applications compile to Intermediate Language (IL) assemblies that are easier to reverse-engineer than native binaries. This means sensitive logic, hardcoded credentials, and vulnerability patterns are more accessible to attackers. ViewState deserialization, BinaryFormatter, and reflection abuse remain critical attack vectors.

Verified by Precogs Threat Research
dotnetcsharpassemblydeserializationUpdated: 2026-03-22

.NET Deserialization Risks

BinaryFormatter in .NET allows arbitrary code execution through deserialization — Microsoft themselves mark it as dangerous. ViewState deserialization in ASP.NET Web Forms is still exploited (CVE-2020-0688 in Exchange). TypeNameHandling.All in Json.NET enables type confusion attacks. These patterns persist in legacy .NET Framework applications.

Assembly Analysis Challenges

.NET IL is decompilable to near-original source quality using tools like ILSpy and dnSpy. Obfuscation (Confuser, Dotfuscator) complicates but does not prevent analysis. Native AOT compilation in .NET 8+ produces native binaries that require different analysis techniques — closer to C/C++ binary analysis.

Precogs AI .NET Analysis

Precogs AI analyzes .NET assemblies for unsafe deserialization (BinaryFormatter, ViewState, Json.NET TypeNameHandling), reflection abuse enabling code injection, hardcoded credentials in string constants and configuration sections, and DLL hijacking susceptibility in assembly loading paths.

Attack Scenario: ViewState MAC Forgery (ASP.NET)

1

An attacker targets an older ASP.NET WebForms portal deployed at a financial institution.

2

The `web.config` file has `customErrors="Off"`, and through an older Path Traversal flaw (or a GitHub leak), the attacker downloads the `web.config` file containing the `machineKey` settings.

3

The `machineKey` is used to cryptographically sign (MAC) the `__VIEWSTATE` hidden form parameter, which contains serialized UI state objects.

4

Using the stolen `machineKey` and a tool like `ysoserial.net`, the attacker generates a malicious `__VIEWSTATE` payload signed perfectly for the server.

5

The attacker visits the login page, injects their forged `__VIEWSTATE` parameter, and the IIS worker process deserializes it, executing a hidden payload that dumps the SQL database connection strings.

Real-World Code Examples

BinaryFormatter Deserialization RCE

Microsoft officially obsoleted `BinaryFormatter` in .NET 5+ and has stated it cannot be made secure. However, thousands of legacy .NET Framework applications (WinForms, WCF, Remoting) still rely on it. Deserializing an MS-NRBF (Net Remoting Binary Format) stream allows an attacker to dictate exactly which classes the runtime instantiates, allowing gadget chains to execute arbitrary code (CWE-502).

VULNERABLE PATTERN
// VULNERABLE: BinaryFormatter is inherently unsafe
using System.Runtime.Serialization.Formatters.Binary;

public void ProcessState(byte[] inputData) {
    var formatter = new BinaryFormatter();
    using (var stream = new MemoryStream(inputData)) {
        // Exploit payload (e.g. TypeConfuseDelegate gadget) 
        // triggers code execution instantly upon Deserialization
        object obj = formatter.Deserialize(stream);
    }
}
SECURE FIX
// SAFE: Migrated to System.Text.Json
using System.Text.Json;

public void ProcessState(string jsonInput) {
    // System.Text.Json requires explicit definitions and does
    // not instantiate arbitrary classes by default
    var options = new JsonSerializerOptions {
        // Ensure TypeNameHandling parity is securely OFF
    };
    
    UserState state = JsonSerializer.Deserialize<UserState>(jsonInput, options);
}

Detection & Prevention Checklist

  • Locate and fully eradicate the usage of `BinaryFormatter`, `NetDataContractSerializer`, and `LosFormatter` in all .NET solutions
  • Run the `Security Code Scan` Roslyn analyzer in Visual Studio to catch `.NET` specific injection patterns during compilation
  • Secure legacy ASP.NET `machineKey` values in an external HSM or Azure KeyVault instead of hardcoding in `web.config`
  • Enforce strong assembly signing (Strong-Naming) and configure Application Control to prevent reflection loads of unsigned modules
  • Audit generic JSON setups: ensure `TypeNameHandling.All` or `.Auto` is globally disabled in `Newtonsoft.Json` configurations facing absolute untrusted data
🛡️

How Precogs AI Protects You

Precogs AI analyzes .NET assemblies and AOT binaries for BinaryFormatter deserialization, ViewState attacks, Json.NET type confusion, reflection abuse, and credential exposure — covering both .NET Framework and .NET 8+ applications.

Start Free Scan

Related Weakness Types

CWE-502CWE-470CWE-798CWE-427CWE-78CWE-94CWE-89CWE-74CWE-22CWE-200

High Risk Industries

Financial Services SecurityGovernment & Defense Cybersecurity

Compliance Frameworks

PCI DSS 4.0SOX / GLBADORA (Digital Operational Resilience Act)SOC 2 / ISO 27001

What security risks do .NET assemblies have?

.NET assemblies face deserialization attacks (BinaryFormatter, ViewState), reflection abuse, type confusion, and DLL hijacking. Precogs AI analyzes compiled .NET IL and native AOT binaries for these vulnerabilities.

Scan for .NET Assembly & DLL Security Issues

Precogs AI automatically detects .net assembly & dll security vulnerabilities and generates AutoFix PRs.

Start Free Scan