Parser Differentials: When Interpretation Becomes a Vulnerability
Joernchen (Joern Schneeweisz)
OffensiveCon 2025 · Day 1 · Main
Joern Schneeweisz (Joernchen) of GitLab's Security Research team walks through a decade of accumulated parser differential exploits — from a 2018 CouchDB RCE to a 2024 GitLab Workspaces arbitrary file write — arguing that format disagreements between parsers are stockpilable assets, not just one-off bugs. The practical crown jewel is a three-language YAML file that simultaneously presents different key values to Go, Python, and Ruby, enabling security control bypass and, when combined with a path traversal primitive, real shell access. ---
AI review
Joernchen presents parser differentials as a stockpilable offensive asset class rather than isolated bugs, working through CouchDB JSON, Kubernetes JWT header ordering, a three-language YAML polyglot, and a real GitLab Workspaces file write. The 'stockpile first, deploy later' framing is the conceptual contribution; the YAML three-way split (Go/Python/Ruby simultaneously seeing different key values) is the technical centerpiece. Clean examples, accessible format, genuine impact — docked one point for being an OffensiveCon talk that could have been a DEF CON talk.