Skip to content

XSS: Unescaped Angular Brackets in HTML Report

Moderate
jcamiel published GHSA-p4p2-ffh9-cc9c Apr 19, 2024

Package

No package listed

Affected versions

4.2.0

Patched versions

4.3.0

Description

Summary

Hurl surrounds values received from web server with angular brackets, i.e. < and >, when they don't match expectation. The values, with their brackets, are rendered into the HTML report unescaped. This allows the subject web server to inject problematic code into the HTML.

Details

Hurl displays the errors/failures within angular brackets, i.e. < and >. When generating an HTML report of the tests, the rendering of those values does not escape the angular brackets, so browsers do not display anything because they don't understand

Here's how it's displayed in the HTML report in a browser:

image

Here's the culprit lines in the HTML file:

image

Hurl passes the web server input to the HTML unsanitized.

PoC

  • Download Caddy server
  • Create a file named Caddyfile with the content:
localhost {
	log
	respond "<script>alert('Hi')</script>"
}
  • Create a file named xss.hurl with the content:
GET https://localhost
[Options]
insecure: true
HTTP/2 200
[Asserts]
`Hello, World!`
  • Run: hurl --report-html . xssr.hurl
  • Open the resulting index.html in a browser
  • Click on xssr.hurl file link on the page

You'll see an alert triggered by JavaScript.

image

Impact

There are 2 impacts:

  • The test subject (the web server) can inject arbitrary JS code to run on the client viewing the HTML report.
  • Innocuous values are not displayed on the HTML page because the values are rendered as HTML tags (they aren't) and browsers do not recognize them.

Severity

Moderate

CVE ID

No known CVE

Weaknesses

No CWEs

Credits