top | item 5865168

(no title)

bluetooth | 12 years ago

How did you test for YAML injection? From my past experiences with Ruby (hardly any) YAML injection is difficult to test from a blackbox perspective as you need an understanding of the source code in order to be able to craft the appropriate serialized YAML object to yield code execution.

discuss

borski|12 years ago

Couple of methods. For one thing, we test for status codes returned for particularly crafted YAML/XML parameters. Aside from that, we also carefully craft a YAML injection using a timing attack and test blind, that way.