Unmasking a Go HTML Parser Bug with Differential Fuzzing
(mionskowski.pl)
from tedu to golang@programming.dev on 24 Oct 2023 18:28
https://azorius.net/g/golang@programming.dev/p/jDhW3zgfgSP1ddN97z-Unmasking-a-Go-HTML-Parser-Bug-with-Differential
from tedu to golang@programming.dev on 24 Oct 2023 18:28
https://azorius.net/g/golang@programming.dev/p/jDhW3zgfgSP1ddN97z-Unmasking-a-Go-HTML-Parser-Bug-with-Differential
In this write-up, we’ll delve into how, through differential fuzzing, we uncovered a bug in Go’s exp/net HTML’s tokenizer. We’ll show potential XSS implications of this flaw. Additionally, we’ll outline how Google assessed this finding within their VRP program and guide how to engage and employ fuzzing to evaluate your software.
threaded - newest
I think this is a good bug find, but I don't know why anyone would pass the original "safe" input through unchanged, instead of reserializing it.