/top/
/new/
/best/
/ask/
/show/
/job/
^
slacker news
login
about
←back to thread
Sign in as anyone: Bypassing SAML SSO authentication with parser differentials
(github.blog)
312 points
campuscodi
| 1 comments |
15 Mar 25 19:06 UTC
|
HN request time: 0.215s
|
source
Show context
oncallthrow
◴[
15 Mar 25 19:16 UTC
]
No.
43374582
[source]
▶
>>43374519 (OP)
#
XML is to authentication bypasses what C is to buffer overflow attacks
replies(4):
>>43374583
#
>>43374813
#
>>43375202
#
>>43375808
#
dietr1ch
◴[
15 Mar 25 19:57 UTC
]
No.
43374813
[source]
▶
>>43374582
#
Sad that XML has too many features for an otherwise somewhat nice, but verbose markup language.
replies(2):
>>43374910
#
>>43374941
#
treve
◴[
15 Mar 25 20:20 UTC
]
No.
43374910
[source]
▶
>>43374813
#
Feature are kind of a negative for security. Imagine if yaml was used!
replies(1):
>>43374958
#
alexchamberlain
◴[
15 Mar 25 20:30 UTC
]
No.
43374958
[source]
▶
>>43374910
#
I think there is a "safe" subset of both XML and YAML that 80% of people actually use.
replies(2):
>>43374973
#
>>43375111
#
1.
Muromec
◴[
15 Mar 25 20:58 UTC
]
No.
43375111
[source]
▶
>>43374958
#
which is exactly the problem. if you have two parsers of the same format in a security context that show slightly different behavior (maybe in the rest 20% or maybe not) it's often enough.
ID:
GO
↑