I have read (in "json attacks" talk in blackhat) that When using deserialize libraries, it may use reflection (on its members) or setters in order to construct the object. According to the talk, using reflection is not dangerous (and will not lead to remote code execution directly) as it does not invoke any methods.
It made me curious about two things:
-
Why isn't using reflection dangerous? (as it construct an object too in the end. It looks the same like using setters to me)
-
How is using setters can lead to remote code execution? (Why is it so dangerous)
Thank you
Aucun commentaire:
Enregistrer un commentaire