[Python-Dev] Need help to fix HTTP Header Injection vulnerability
tir.karthi at gmail.com
Wed Apr 10 07:07:03 EDT 2019
> 1. Is there a library of URL / Header injection tests e.g. for fuzzing
> that we could generate additional test cases with or from?
https://github.com/swisskyrepo/PayloadsAllTheThings seems to contain
payload related stuff but not sure how useful it is for URL parsing.
> 2. Are requests.get() and requests.post() also vulnerable?
urllib3 seems to be vulnerable as noted in
https://bugs.python.org/issue36276#msg337837 . requests uses urllib3 under
the hood. The last time I checked requests passed encoded URL to urllib3
where this doesn't seem to be exploitable but I could be wrong.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Python-Dev