You work as the application developer at Domain.com. Domain.com uses Visual Studio.NET 2005 as its application development platform.
You are developing a .NET Framework 2.0 remoting application. Your computer system relies on run-time type validation.
You are required to deserialize a remote stream by using the BinaryFormatter class in your application whilst you configure the BinaryFormatter object
to protect against any deserialization attacks by deserializing only certain types associated with only the most basic remoting functionality.
What should you do?
A.
The TypeFormat property should be set to FormatterTypeStyle.TypesAlways
B.
The TypeFormat property should be set to FormatterTypeStyle.TypesWhenNeeded
C.
The FilterLevel property should be set to TypeFilterLevel.Full
D.
The FilterLevel property must be set to TypeFilterLevel.Low
Explanation:
The best choice for you in the scenario would be to use the FilterLevel property of the BinaryFormatter object set to TypeFilter.Low which deserializes only the most basic remoting functionality helping to protect against deserialization attacks.
Incorrect Answers:
A, B: The setting can not be used to set the deserialization of types because it just configures how the types are laid out in the deseriliazation stream.
C: This setting should no be used as you will be deserializing all types and this offers no protection against deserialization attacks in the scenario.
I choose D