The website content discusses a Python script for converting YAML to JSON files securely during a cybersecurity penetration test, emphasizing the importance of using safe loaders to avoid security risks.
Abstract
The content outlines a situation where Teri Radichel, a cybersecurity expert, needed to convert a Swagger (Open API) definition from YAML to JSON to automate API fuzzing for a client during a penetration test. Instead of rewriting existing code or using potentially unsafe online converters, Radichel found and tweaked a Python script that utilizes yaml.safe_load to ensure secure data handling. The script reads a YAML configuration file and writes the equivalent JSON data to a file, with the option to print the JSON output with indentation for readability. The article also provides links to related cybersecurity content, presentations, and Radichel's professional background, inviting readers to follow for updates and sign up for a Medium email list for more information.
Opinions
The author emphasizes the importance of using safe methods to load YAML data to prevent security vulnerabilities, as evidenced by the rejection of an unsafe loader script.
There is a preference for using Python for such tasks, as demonstrated by the provided script and the mention of Python-specific commands and functions.
The author values the sharing of knowledge and resources, as indicated by the inclusion of links to further reading, presentations, and educational content on cybersecurity.
The author suggests a potential future improvement to automate the conversion process for files ending with the .yaml extension.
Radichel's qualifications and expertise in the field of cybersecurity are highlighted to establish credibility and trust with the audience.
YAML to JSON in Python
A little script to convert from YAML to JSON — beware of unsafe loaders
While working on a penetration test a client gave me a Swagger (Open API) definition which I wanted to use to automatically fuzz their API. I talked about how I did that in this presentation at RSA 2020.
My code was written for JSON since that’s what I got previous times I did this type of testing. Rather than re-write my code I wanted a simple way to convert the YAML to JSON — without putting my client’s data into some sketchy form on the Internet.
I found various scripts to do that in Python. One made use of an unsafe loader and basically didn’t work.
The only thing I did was tweak it to pull the JSON and YAML files into variables. I could take this further and make a function or class out of it and do the conversion of the file name ends with .yaml in my code.
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab