|
|
|
|
|
|
by harrall
205 days ago
|
|
|
I see this type of vulnerability all the time. Seen it in Java, Lua, JavaScript, Python and so on. I think deserialization that relying on blacklists of properties is a dangerous game. I think rolling your own object deserialization in a library that isn’t fully dedicated to deserialization is about as dangerous as writing your own encryption code. |
|
|