Summary

Hurl surrounds values received from web server with angular brackets, i.e. < and >, when they don't match expectation. The values, with their brackets, are rendered into the HTML report unescaped. This allows the subject web server to inject problematic code into the HTML.

Details

Hurl displays the errors/failures within angular brackets, i.e. < and >. When generating an HTML report of the tests, the rendering of those values does not escape the angular brackets, so browsers do not display anything because they don't understand

Here's how it's displayed in the HTML report in a browser:

Here's the culprit lines in the HTML file:

Hurl passes the web server input to the HTML unsanitized.

PoC

• Download Caddy server
• Create a file named Caddyfile with the content:

localhost {
	log
	respond "<script>alert('Hi')</script>"
}

• Create a file named xss.hurl with the content:

GET https://localhost
[Options]
insecure: true
HTTP/2 200
[Asserts]
`Hello, World!`

• Run: hurl --report-html . xssr.hurl
• Open the resulting index.html in a browser
• Click on xssr.hurl file link on the page

You'll see an alert triggered by JavaScript.

Impact

There are 2 impacts:

• The test subject (the web server) can inject arbitrary JS code to run on the client viewing the HTML report.
• Innocuous values are not displayed on the HTML page because the values are rendered as HTML tags (they aren't) and browsers do not recognize them.