Serialization Formats Aren't Toys

Presented at Kiwicon 7: Cyberfriends (2013), Nov. 10, 2013, 2 p.m. (30 minutes)

Dear Web App Developers, Do you have an API? Do you accept input from users? Do you accept it in XML? What about YAML? Or maybe JSON? How safe are you? How sure are you about that? It's not in the OWASP Top 10, but you don't have to look far to hear stories of security vulnerabilities involving deserialization user inputs. Why do they keep happening? In this talk I'll go over what the threat is, how you might be making yourself vulnerable and how to mitigate the problem. I'll cover the features (not bugs, features) of formats like XML, YAML, and JSON that make them surprisingly dangerous, and how to protect your code from them. Because here's the thing: If you are using, say, a compliant, properly implemented parser to parse your stuff, you are NOT safe. Possibly quite the opposite.

Presenters:

• Tom Eastman
  Tom is a senior Python developer and technical lead for Catalyst IT, New Zealand's largest company specialising in open source. Prior to that he worked as a developer and system administrator for the University of Otago Faculty of Medicine and as a Computer Science tutor for same. Tom has developed a healthy paranoia as a direct result of drinking with penetration testers.

Links:

• https://2013.kiwicon.org/the-con/talks/#e95

Similar Presentations:

• BSidesSF 2015 / Getting started...help me help you
• HOPE Number Nine (2012) / The Autism Spectrum and You
• GrrCON 2016 / How Do You Secure What You Don't Control