Summary
Hurl surrounds values received from web server with angular brackets, i.e. <
and >
, when they don't match expectation. The values, with their brackets, are rendered into the HTML report unescaped. This allows the subject web server to inject problematic code into the HTML.
Details
Hurl displays the errors/failures within angular brackets, i.e. <
and >
. When generating an HTML report of the tests, the rendering of those values does not escape the angular brackets, so browsers do not display anything because they don't understand
Here's how it's displayed in the HTML report in a browser:
Here's the culprit lines in the HTML file:
Hurl passes the web server input to the HTML unsanitized.
PoC
- Download Caddy server
- Create a file named
Caddyfile
with the content:
localhost {
log
respond "<script>alert('Hi')</script>"
}
- Create a file named
xss.hurl
with the content:
GET https://localhost
[Options]
insecure: true
HTTP/2 200
[Asserts]
`Hello, World!`
- Run:
hurl --report-html . xssr.hurl
- Open the resulting
index.html
in a browser
- Click on
xssr.hurl
file link on the page
You'll see an alert triggered by JavaScript.
Impact
There are 2 impacts:
- The test subject (the web server) can inject arbitrary JS code to run on the client viewing the HTML report.
- Innocuous values are not displayed on the HTML page because the values are rendered as HTML tags (they aren't) and browsers do not recognize them.
Summary
Hurl surrounds values received from web server with angular brackets, i.e.
<
and>
, when they don't match expectation. The values, with their brackets, are rendered into the HTML report unescaped. This allows the subject web server to inject problematic code into the HTML.Details
Hurl displays the errors/failures within angular brackets, i.e.
<
and>
. When generating an HTML report of the tests, the rendering of those values does not escape the angular brackets, so browsers do not display anything because they don't understandHere's how it's displayed in the HTML report in a browser:
Here's the culprit lines in the HTML file:
Hurl passes the web server input to the HTML unsanitized.
PoC
Caddyfile
with the content:xss.hurl
with the content:hurl --report-html . xssr.hurl
index.html
in a browserxssr.hurl
file link on the pageYou'll see an alert triggered by JavaScript.
Impact
There are 2 impacts: