Golang

27 readers

1 users here now

This is a community dedicated to the go programming language.

Useful Links:

Rules:

Posts must be relevant to Go
No NSFW content
No hate speech, bigotry, etc
Try to keep discussions on topic
No spam of tools/companies/advertisements
It’s OK to post your own stuff part of the time, but the primary use of the community should not be self-promotion.

founded 1 year ago

MODERATORS

[email protected]

Unmasking a Go HTML Parser Bug with Differential Fuzzing (mionskowski.pl)

submitted 10 months ago by [email protected] to c/[email protected]

1 comments fedilink hide all child comments

In this write-up, we’ll delve into how, through differential fuzzing, we uncovered a bug in Go’s exp/net HTML’s tokenizer. We’ll show potential XSS implications of this flaw. Additionally, we’ll outline how Google assessed this finding within their VRP program and guide how to engage and employ fuzzing to evaluate your software.

top 1 comments

sorted by: hot top controversial new old

[–] [email protected] 2 points 10 months ago

I think this is a good bug find, but I don't know why anyone would pass the original "safe" input through unchanged, instead of reserializing it.