ABSTRACT

Classes that implement the ISerializable interface but do not declare the [Serializable] attribute will not be serialized.

EXPLANATION

The .NET runtime will permit the serialization of any object that declares the [Serializable] attribute. If the class can be serialized using the default serialization methods defined by the .NET framework, this is both necessary and sufficient for the object to be correctly serialized. If the class requires custom serialization methods, it must also implement the ISerializable interface. However, the class must still declare the [Serializable] attribute.

Example 1: The CustomStorage class implements the ISerializable interface. However, because it fails to declare the [Serializable] attribute, it will not be serialized.


public class CustomStorage: ISerializable {
...
}

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A9 Application Denial of Service

[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP6080 CAT II

[3] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 730

[4] Mark ISerializable types with Serializable Microsoft Corporation

[5] Piet Obermeyer and Jonathan Hawkins MSDN Library: Object Serialization in the .NET Framework

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.9