avatarTeri Radichel

Summary

The website content discusses a Python script for converting YAML to JSON files securely during a cybersecurity penetration test, emphasizing the importance of using safe loaders to avoid security risks.

Abstract

The content outlines a situation where Teri Radichel, a cybersecurity expert, needed to convert a Swagger (Open API) definition from YAML to JSON to automate API fuzzing for a client during a penetration test. Instead of rewriting existing code or using potentially unsafe online converters, Radichel found and tweaked a Python script that utilizes yaml.safe_load to ensure secure data handling. The script reads a YAML configuration file and writes the equivalent JSON data to a file, with the option to print the JSON output with indentation for readability. The article also provides links to related cybersecurity content, presentations, and Radichel's professional background, inviting readers to follow for updates and sign up for a Medium email list for more information.

Opinions

  • The author emphasizes the importance of using safe methods to load YAML data to prevent security vulnerabilities, as evidenced by the rejection of an unsafe loader script.
  • There is a preference for using Python for such tasks, as demonstrated by the provided script and the mention of Python-specific commands and functions.
  • The author values the sharing of knowledge and resources, as indicated by the inclusion of links to further reading, presentations, and educational content on cybersecurity.
  • The author suggests a potential future improvement to automate the conversion process for files ending with the .yaml extension.
  • Radichel's qualifications and expertise in the field of cybersecurity are highlighted to establish credibility and trust with the audience.

YAML to JSON in Python

A little script to convert from YAML to JSON — beware of unsafe loaders

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Bugs | Application Security | Secure Code

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

While working on a penetration test a client gave me a Swagger (Open API) definition which I wanted to use to automatically fuzz their API. I talked about how I did that in this presentation at RSA 2020.

My code was written for JSON since that’s what I got previous times I did this type of testing. Rather than re-write my code I wanted a simple way to convert the YAML to JSON — without putting my client’s data into some sketchy form on the Internet.

I found various scripts to do that in Python. One made use of an unsafe loader and basically didn’t work.

Then I found this script which is pretty decent. Note that it makes use of yaml.safe_load:

The only thing I did was tweak it to pull the JSON and YAML files into variables. I could take this further and make a function or class out of it and do the conversion of the file name ends with .yaml in my code.

import yaml
import json

with open('config.yml', 'r') as file:
    configuration = yaml.safe_load(file)

with open('config.json', 'w') as json_file:
    json.dump(configuration, json_file)
    
output = json.dumps(json.load(open('config.json')), indent=2)
print(output)

Someday.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Yaml To Json
Yaml
Json
Safe Load
Error Message
Recommended from ReadMedium
avatarVijay Maurya
Resolving SSLCertVerificationError: certificate verify failed: unable to get local issuer…

When working with APIs in Python, you may encounter the dreaded SSLCertVerificationError, which indicates an issue with SSL certificate…

3 min read
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarMoraneus
Mastering Python’s Asyncio: A Practical Guide

When you dive into Python’s world, one gem that truly shines for handling modern web and network tasks is asyncio. This toolkit is Python's…

10 min read
avatarKonstantinos Patronas
How to hide a file inside another file

Assume the following scenario! you are a spy and you want to hide your files! Since you are an expert spy you know that just making your…

3 min read
avatarAfan Khan
Microsoft is ditching React

Here’s why Microsoft considers React a mistake for Edge.

6 min read
avatarDario Radečić
Python One Billion Row Challenge — From 10 Minutes to 4 Seconds

The one billion row challenge is exploding in popularity. How well does Python stack up?

10 min read