Reino: Code Quality

Una mala calidad del código lleva a un comportamiento no predecible. Desde la perspectiva de un usuario, muchas veces también supone una usabilidad limitada. Pero para un atacante es una oportunidad para atacar al sistema de formas insospechadas.

Code Correctness: Missing [Serializable] Attribute

Abstract
Las clases que implementan la interfaz ISerializable, pero que no declaran el atributo [Serializable] no se serializarán.
Explanation
El tiempo de ejecución de .NET permite la serialización de cualquier objeto que declare el atributo [Serializable]. Si la clase se puede serializar mediante los métodos de serialización predeterminados definidos por .NET Framework, esto es necesario y suficiente para que el objeto se serialice correctamente. Si la clase requiere métodos de serialización personalizados, debe implementar también la interfaz ISerializable. Sin embargo, la clase debe declarar aún el atributo [Serializable].

Ejemplo 1: la clase CustomStorage implementa la interfaz ISerializable. Sin embargo, debido a que no puede declarar el atributo [Serializable], no se serializará.


public class CustomStorage: ISerializable {
	...
}
References
[1] CA2237: Mark ISerializable types with SerializableAttribute Microsoft Corporation
[2] Piet Obermeyer and Jonathan Hawkins MSDN Library: Object Serialization in the .NET Framework
[3] Standards Mapping - Common Weakness Enumeration CWE ID 730
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[7] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[9] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[31] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[32] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.structural.dotnet.code_correctness_missing_serializable_attribute