fuzzingbook icon indicating copy to clipboard operation
fuzzingbook copied to clipboard
verified publisher icon uds-se

GUIFuzzer: Error on newline in html attribute

Open SecureAB opened this issue 5 years ago • 0 comments

Describe the bug The grammar which is generated by the GUIGrammarMiner doesn't handle newlines in html attributes correctly.

To Reproduce

  1. Try to run the following example:
import threading
import html
import time

from http.server import HTTPServer, BaseHTTPRequestHandler, HTTPStatus
from fuzzingbook.GUIFuzzer import start_webdriver, GUIRunner, GUICoverageFuzzer, GUIGrammarMiner

EXAMPLE_PAGE = """
<html>
    <body>
        <button name="test
">Button with a newline</button>
    </body>
</html>
"""

class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):

    def do_GET(self):
        self.send_response(HTTPStatus.OK, "Testpage")
        self.send_header("Content-type", "text/html")
        self.end_headers()
        self.wfile.write(EXAMPLE_PAGE.encode("utf8"))

def run_httpd_forever():
    httpd_address = ("127.0.0.1", 9000)
    httpd = HTTPServer(httpd_address, SimpleHTTPRequestHandler)
    httpd.serve_forever()
    print("Serving forever")


def main():
    http_thread = threading.Thread(target=run_httpd_forever, daemon=True)
    http_thread.start()

    print("Starting driver")
    gui_driver = start_webdriver("chrome", True)
    gui_driver.get("http://127.0.0.1:9000/")


    runner = GUIRunner(gui_driver)
    fuzzer = GUICoverageFuzzer(gui_driver, log_gui_exploration=True)

    fuzzer.explore_all(runner)


if __name__ == "__main__":
    main()
  1. The following error is thrown:
 Starting driver
127.0.0.1 - - [15/Jun/2020 14:31:10] "GET / HTTP/1.1" 200 -
Run #1
127.0.0.1 - - [15/Jun/2020 14:31:10] "GET / HTTP/1.1" 200 -
Action submit('test
') -> <state-1>
Traceback (most recent call last):
  File "bug.py", line 50, in <module>
    main()
  File "bug.py", line 44, in main
    fuzzer.explore_all(runner)
  File "/home/SecureAB/.local/lib/python3.7/site-packages/fuzzingbook/GUIFuzzer.py", line 1149, in explore_all
    self.run(runner)
  File "/home/SecureAB/.local/lib/python3.7/site-packages/fuzzingbook/GUIFuzzer.py", line 1012, in run
    result, outcome = runner.run(action)
  File "/home/SecureAB/.local/lib/python3.7/site-packages/fuzzingbook/GUIFuzzer.py", line 792, in run
    {'fill': fill, 'check': check, 'submit': submit, 'click': click})
  File "<string>", line 1
    submit('test
               ^

Expected behavior The explore_all call should return normally.

Desktop (please complete the following information):

  • OS: Debian Linux
  • Browser: Chromium
  • Python version: 3.7

Additional context The grammar generates python code which is later executed. Python strings like the following are invalid:

submit('test
')

The same exists if the html text ends with a backslash \.

SecureAB avatar Jun 20 '20 22:06 SecureAB