You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The reading and unpacking of messages consumes data from third-party sources. While this data is often from a trusted party it's still important to have parsers which do not crash on unexpected input. OWASP mentions that parsing of untrusted data is a major security risk software applications face.
Fuzzing is a testing methodology which generates inputs to execute all codepaths of a parser and discover crashes. We should fuzz the iso8583 parser and pack/unpack code.
The Go standard library has support for fuzzing. We've previously used a third-party library for fuzzing, but with native support we should build a fuzzer using Go's toolchain.
Docs: https://go.dev/doc/fuzz/
The text was updated successfully, but these errors were encountered:
The reading and unpacking of messages consumes data from third-party sources. While this data is often from a trusted party it's still important to have parsers which do not crash on unexpected input. OWASP mentions that parsing of untrusted data is a major security risk software applications face.
Fuzzing is a testing methodology which generates inputs to execute all codepaths of a parser and discover crashes. We should fuzz the iso8583 parser and pack/unpack code.
Example for reading data:
https://github.com/moov-io/iso8583#parse-the-message-and-access-the-data
The Go standard library has support for fuzzing. We've previously used a third-party library for fuzzing, but with native support we should build a fuzzer using Go's toolchain.
Docs: https://go.dev/doc/fuzz/
The text was updated successfully, but these errors were encountered: