Classes that implement the ISerializable
interface but do not declare the [Serializable]
attribute will not be serialized.
The .NET runtime will permit the serialization of any object that declares the [Serializable]
attribute. If the class can be serialized using the default serialization methods defined by the .NET framework, this is both necessary and sufficient for the object to be correctly serialized. If the class requires custom serialization methods, it must also implement the ISerializable
interface. However, the class must still declare the [Serializable]
attribute.
Example 1: The CustomStorage
class implements the ISerializable
interface. However, because it fails to declare the [Serializable]
attribute, it will not be serialized.
public class CustomStorage: ISerializable {
...
}
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A9 Application Denial of Service
[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP6080 CAT II
[3] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 730
[4] Mark ISerializable types with Serializable Microsoft Corporation
[5] Piet Obermeyer and Jonathan Hawkins MSDN Library: Object Serialization in the .NET Framework
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.9