The possible lack of reflection in Medium Trust hosting conditions appears to cause lots of problems for a lot of popular web programs.

  • Exactly why is ReflectionPermission disabled automatically with Medium Trust?
  • What risk does reflection pose inside a hosting that is shared atmosphere?

For random reference, see MSDN: Using Medium Rely upon ASP.Internet 2.

Reflection enables malicious code to examine a myriad of secrets: less intellectual property (though sure, this too), but data that needs to be private and secure, like connection strings, passwords, banking account data, etc..

Obviously, many programs expose this data ought to be course through much more-easily jeopardized vectors, there is however pointless to improve an application's attack surface.

Edited to create a few of the conversation up in the comments:

It's most likely correct that the actual risk is unrestricted file system access, that is what turns reflection right into a real danger. If your bad actor could possibly get an set up (or something like that that will get put together into an set up) to your virtual directory, you are in danger should they have reflection permission. (Obviously should this happen, you will find other potential issues too, but that should not discount this specific vulnerability.)

Inside a hosting that is shared atmosphere that's just harder to avoid, although it certainly is not impossible. Possibly it's worth mix-writing this question to ServerFault to determine exactly what the good folks there've to express.

I discovered the next MSDN article about this subject:

Security Factors for Reflection

This short article echo's Jeff's answer:

Reflection provides a chance to obtain details about types and people, and also to access people. Being able to access nonpublic people could produce a security risk. Therefore, code that accesses nonpublic people requires ReflectionPermission using the appropriate flags.

However, I do not believe this risk could be used between customer's hosting accounts. It seems this could only pose an individual risk. For instance, using reflection I possibly could explore my very own devices during my hosting atmosphere. Other clients, however, couldn't use reflection to understand more about my devices. They might only explore their devices.

This may pose an issue for any single web application which involves multiple development teams. One team of developers can use reflection to understand more about another development team's devices.

However, this can be a rare scenario for any hosting that is shared atmosphere. Most hosting that is shared internet sites involve an extremely small team who've full use of all the code. Quite simply, you will find no secrets. As lengthy because the set up is protected using their company hosting that is shared clients, then it is no problem.

Enabling reflection should not pose any risk for many hosting that is shared web programs:

<IPermission class="ReflectionPermission" version="1" Flags="RestrictedMemberAccess"/>

Please correct me if I am wrong.

I have never found anything 'bad' that the user will have the ability to do using reflection. People get scared off because you are in a position to call techniques which are marked as private or protected, but from what I have seen, not one of them impose any real risk.

Probably, it's a minimum of simply a sales way to enable you to get to spend out for (semi-) devoted hosting :)