Coursera Flash Sale
40% Off Coursera Plus for 3 Months!
Grab it
Learn about systematic vulnerabilities in ZIP file parsing through a conference presentation that reveals critical security flaws across 50 different ZIP parsers. Discover how researchers developed ZipDiff, a differential fuzzer that identified parsing inconsistencies between ZIP implementations across 19 programming languages, uncovering that almost all parser pairs are vulnerable to certain parsing ambiguities. Explore 14 distinct parsing ambiguity types categorized into three groups, including 10 newly discovered vulnerability types that stem from imprecise ZIP format specifications. Examine five real-world attack scenarios demonstrating how these parsing gaps can be exploited to bypass secure email gateways, spoof office document content, impersonate VS Code extensions, and tamper with signed JAR files while evading Spring Boot's signature verification. Understand the systematic approach to identifying these vulnerabilities and review seven proposed mitigation strategies to address ZIP parsing ambiguities, along with the responsible disclosure process that resulted in bounty rewards from major vendors and three assigned CVEs.
