Golang

2204 readers

1 users here now

This is a community dedicated to the go programming language.

Useful Links:

Rules:

Posts must be relevant to Go
No NSFW content
No hate speech, bigotry, etc
Try to keep discussions on topic
No spam of tools/companies/advertisements
It’s OK to post your own stuff part of the time, but the primary use of the community should not be self-promotion.

founded 1 year ago

MODERATORS

Ategon@programming.dev

austin@programming.dev

RandomDevOpsDude@programming.dev

Unmasking a Go HTML Parser Bug with Differential Fuzzing (mionskowski.pl)

submitted 1 year ago by tedu@azorius.net to c/golang@programming.dev

1 comments fedilink hide all child comments

In this write-up, we’ll delve into how, through differential fuzzing, we uncovered a bug in Go’s exp/net HTML’s tokenizer. We’ll show potential XSS implications of this flaw. Additionally, we’ll outline how Google assessed this finding within their VRP program and guide how to engage and employ fuzzing to evaluate your software.

you are viewing a single comment's thread
view the rest of the comments

[–] tedu@azorius.net 2 points 1 year ago

I think this is a good bug find, but I don't know why anyone would pass the original "safe" input through unchanged, instead of reserializing it.