Sunday 1:50 p.m.–2:20 p.m.
Serialization formats are not toys
Tom Eastman
- Audience level:
- Intermediate
- Category:
- Security
Description
It’s not in the OWASP Top 10, but you don’t have to look far to hear stories of security vulnerabilities involving deserialization of user input. In this talk I’ll go over what the threat is and how you might be making yourself vulnerable. I’ll cover the features (not bugs: features) of XML, YAML, and JSON that make them surprisingly dangerous, and how to protect your code from them.
Abstract
Do you have an API?
Do you accept input from users? Do you accept it in XML? What about YAML? Or maybe JSON? How safe are you?
Are you sure?
It’s not in the OWASP Top 10, but you don’t have to look far to hear stories of security vulnerabilities involving deserialization of user input. Why do they keep happening?
In this talk I’ll go over what the threat is, how you are making yourself vulnerable and how to mitigate the problem. I’ll cover the features (not bugs, features) of formats like XML, YAML, and JSON that make them surprisingly dangerous, and how to protect your code from them. My examples are in Python but are also applicable to other languages and frameworks.
Because here’s the thing: If you are using, say, a compliant, properly implemented XML parser to parse your XML, you are NOT safe. Possibly quite the opposite.