Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GUIFuzzer: Fix handling of newlines in html attributes #78

Closed
wants to merge 1 commit into from

Conversation

SecureAB
Copy link
Contributor

@SecureAB SecureAB commented Jun 20, 2020

Fix #77

This bug does also affect the 'click' action. Here is an example page for that:

import threading
import html
import time

from http.server import HTTPServer, BaseHTTPRequestHandler, HTTPStatus
from fuzzingbook.GUIFuzzer import start_webdriver, GUIRunner, GUICoverageFuzzer, GUIGrammarMiner

EXAMPLE_PAGE = """
<!DOCTYPE html>
<html>
<body> 
<style> span { float: left; }
</style>
           
<a href=""><span>I</span> W</a>
</body></html>
"""


class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):

    def do_GET(self):
        self.send_response(HTTPStatus.OK, "Testpage")
        self.send_header("Content-type", "text/html")
        self.end_headers()
        self.wfile.write(EXAMPLE_PAGE.encode("utf8"))

def run_httpd_forever():
    httpd_address = ("127.0.0.1", 9000)
    httpd = HTTPServer(httpd_address, SimpleHTTPRequestHandler)
    httpd.serve_forever()
    print("Serving forever")


def main():
    http_thread = threading.Thread(target=run_httpd_forever, daemon=True)
    http_thread.start()

    print("Starting driver")
    gui_driver = start_webdriver("chrome", True)

    gui_driver.get("http://127.0.0.1:9000/")

    runner = GUIRunner(gui_driver)
    fuzzer = GUICoverageFuzzer(gui_driver, log_gui_exploration=True)

    fuzzer.explore_all(runner)


if __name__ == "__main__":
    main()

@SecureAB SecureAB marked this pull request as draft July 1, 2020 16:00
@SecureAB
Copy link
Contributor Author

SecureAB commented Jul 1, 2020

Currently, html.escape is used for escaping the user-provided strings. The problem with html.escape is, that the backslash \ character is not escaped. This character can be used to escape the quotation mark of the string. This isn't a security problem with the single line string, since the next quotation mark comes only in the next line and a SyntaxError is raised before these quotation marks are reached. An example for this would be a link with the text test\:

click('test\')

The closing quotation mark is escaped there with the backslash. This will interrupt the fuzzing, but it's not a dangerous security problem.

This changes with multi-line strings, since no SyntaxError will be raised in such a case. So base64 encoding will be better, since it encodes all special characters except of + and /.

@SecureAB SecureAB closed this Jul 1, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

GUIFuzzer: Error on newline in html attribute
1 participant