This repository has been archived by the owner on Sep 11, 2019. It is now read-only.
Detect unsafe usages of JSon deserializers #86
Labels
Comments
|
If you could put together a comprehensive list of deserializers that you know about it shouldn't be hard to add these in. |
|
It'd not the deserializers themselves that are necessarily unsafe. It's how
they're used. E.g. When supplying the expected type things become safer
than when you're de serializing into an arbitrary object.
…On 23 Jan 2018 09:37, "Berkeley Churchill" ***@***.***> wrote:
If you could put together a comprehensive list of deserializers that you
know about it shouldn't be hard to add these in.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#86 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AD-uS0YpMUDFORk6Lg-EQdOI7t5jzP1Wks5tNZozgaJpZM4O8WLH>
.
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
This article/preso lists a number of attack vectors against JSON serializers. it would b enice if these were detected:
https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf
The text was updated successfully, but these errors were encountered: