Gwern visits BAIR – Yuxi on the Wired
Gwern’s lunchtime visit to the Berkeley AI Research (BAIR).
Sign in as anyone: Bypassing SAML SSO authentication with parser differentials
github.blogCritical authentication bypass vulnerabilities were discovered in ruby-saml up to version 1.17.0. See how they were uncovered.
Unexpected security footguns in Go's parsers
File parsers in Go contain unexpected behaviors that can lead to serious security vulnerabilities. This post examines how JSON, XML, and YAML parsers in Go handle edge cases in ways that have repeatedly resulted in high-impact security issues in production systems. We explore three real-world attack scenarios: marshaling/unmarshaling unexpected data, exploiting parser differentials, and leveraging data format confusion. Through examples, we demonstrate how attackers can bypass authentication, circumvent authorization controls, and exfiltrate sensitive data by exploiting these parser behaviors.
Last Week in Security (LWiS) - 2025-03-17
Evilginx Pro (@mrgretzky), Pre-auth RCE in a CMS (@chudyPB), GOAD ADCS (@M4yFly), YouTube email disclosure (@brutecat), SAML parser bug (@ulldma.bsky.social/@ulldma@infosec.exchange), and more!