mitigate
mitigate
- PHP object deserialization — `unserialize` on untrusted data
- Ruby unsafe deserialization — `Marshal.load` / `YAML.load`
- Disabled TLS verification — `verify=False` and friends
- Java ObjectInputStream and friends
- JavaScript `eval()` / `new Function()` on untrusted input
- JWT — `alg: none` and algorithm confusion
- Prototype pollution — `merge`, `assign`, and friends
- Python pickle / dill on untrusted input
- PyYAML `yaml.load` without a safe Loader
- XML external entities (XXE) — parser defaults