Techly NewsGet the app

Get the latest tech news

Unexpected security footguns in Go's parsers


File parsers in Go contain unexpected behaviors that can lead to serious security vulnerabilities. This post examines how JSON, XML, and YAML parsers in Go handle edge cases in ways that have repeatedly resulted in high-impact security issues in production systems. We explore three real-world attack scenarios: marshaling/unmarshaling unexpected data, exploiting parser differentials, and leveraging data format confusion. Through examples, we demonstrate how attackers can bypass authentication, circumvent authorization controls, and exfiltrate sensitive data by exploiting these parser behaviors.

During our security assessments, we’ve repeatedly exploited unexpected behaviors in Go’s JSON, XML, and YAML parsers to bypass authentication, circumvent authorization controls, and exfiltrate sensitive data from production systems. These aren’t theoretical issues—they’ve led to documented vulnerabilities like CVE-2020-16250(a Hashicorp Vault authentication bypass found by Google’s Project Zero) and numerous high-impact findings in our client engagements. The polyglot we’ve constructed is a powerful starting payload when exploiting these data format confusion attacks similar to the HashiCorp Vault bypass we explored above (CVE-2020-16250).

Get the Android app

Or read this on Hacker News

Read more on:

Photo of parsers

parsers

« Plastic bag bans and fees reduce harmful bag litter on shorelines
Agentic Misalignment: How LLMs could be insider threats »