Labs / YAML Bomb
- Challenge
- Released 26 Sep 2025
💣 Can you detonate a YAML bomb to compromise the configuration system?
This corporate configuration management system processes YAML files for application settings, but a dangerous implementation flaw creates a perfect storm for exploitation. 💣 YAML deserialization attacks are increasingly common in modern applications, especially those using configuration-as-code approaches. Many developers don't realize that YAML can execute arbitrary Python code during parsing, making it a powerful attack vector for system compromise! 🎯
Start Lab Environment
💣 YAML Bomb
🎯 Learning Objectives
- 📄 YAML Processing: Understand how YAML deserialization works in Python applications
- 🔍 Unsafe Loading: Learn to identify yaml.load() vs yaml.safe_load() vulnerabilities
- 💣 Payload Crafting: Master YAML deserialization payload construction
- 🚀 Code Execution: Achieve remote code execution through YAML injection
🏢 Scenario
You've discovered a corporate configuration management portal that allows administrators to upload and process YAML configuration files for various applications. The system uses Python's PyYAML library to parse configuration data, but the implementation may be using unsafe deserialization methods that can execute arbitrary code.
🔍 Your Mission
Investigate the configuration management system, identify YAML deserialization vulnerabilities, craft malicious YAML payloads to exploit unsafe loading, and demonstrate how YAML bombs can lead to remote code execution and access to sensitive system information. The goal is to understand the security risks of unsafe YAML deserialization in enterprise applications.