Think you know how Go’s parsers work? Think again. This talk dives into the surprising and potentially dangerous behaviors in Go’s most common parsers. Did you know that you can have an input string that successfully parses as YAML, JSON, and XML? From JSON’s case-insensitive field matching to XML’s garbage-tolerant parsing, we’ll explore how these “features” can lead to serious security vulnerabilities. Through real-world case studies, we’ll demonstrate how these parser quirks have led to authentication bypasses in production systems, how you can find similar issues, and how you can fix these issues in your own code.
Talk
Go Parser Footguns
March 14, 17:00 (CAMPUS)
Speaker
Vasco Franco
Vasco Franco is a Senior Application Security Engineer at Trail of Bits, where he performs security audits of the world's most targeted organizations and products. His main areas of interest are low-level security and web application security. He was once a bug bounty hunter, exploiting anything from fully remote code execution (RCE) in popular video games to wormable XSS vulnerabilities in known chat messaging apps.
Vasco has previously spoken at the Hackers to Hackers conference and written several articles for Paged Out!, winning "Best Security/RE article" in the first edition of the magazine.
In his free time, Vasco enjoys climbing, hiking in the mountains, and occasionally hacking bug bounty targets. Lately, he’s been really into email parsing and the surprising problems that can arise from it.
