BSidesVienna 0x7EA

Parsing CBOR is a Minefield: A Study of CBOR Parser behavior
06-27, 17:15–17:45 (Europe/Vienna), Kreativraum 3.1 (Track 3 - Women4Cyber/Rookie)

CBOR (RFC 8949) is a binary serialization format used in constrained security-critical systems like FIDO2/WebAuthn and COSE. Despite a precise specification, implementations diverge across languages and systems, leading to different behavior when confronted with the same input. In this talk, 11 CBOR parsers across seven languages are compared to identify security-relevant behavior, such as unexpected acceptance/rejection of input, hangs and crashes.


CBOR underpins much of modern security infrastructure. Yet whether two implementations agree on what a given byte sequence means, and how they handle edge cases and malformed data, has received little public systematic attention. This talk examines 11 widely-used CBOR parsers spanning C, Rust, Python, Java, Go, C#, and JavaScript, selected for real-world deployment, active maintenance, and architectural diversity. I cover the testing methodology, including fuzzing and a differential-testing harness that runs shared valid and invalid inputs across all parsers, as well as how the resulting divergences are visualized and analyzed.

Finally, I discuss the observed divergences and any crashes the testing uncovered, their underlying reasons, and the security implications. As this talk presents ongoing research as part of my master's thesis, the results are still preliminary and open to change.

Originally from Germany, Jakob is a penetration tester and security consultant based in Vienna, currently completing a Master's in Information Security at the University of Applied Sciences St. Pölten. He spent over two years at SBA Research conducting penetration tests of web applications, fat clients, and corporate networks, alongside source-code audits and social engineering assessments. Most recently, he worked as a penetration tester at Raiffeisen Informatik, where his work spanned penetration testing, CERT activities, and security incident management. He holds the OSCP and BSCP certification. His current research, part of his Master's thesis, examines divergences and security-relevant behavior across CBOR parser implementations.