From da36f1574142d16281d1930f0e93e312fa83716f Mon Sep 17 00:00:00 2001 From: Username Date: Thu, 25 Dec 2025 22:52:43 +0100 Subject: [PATCH] docs: add fuzzer results to security assessment --- documentation/mime-security-assessment.md | 49 +++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/documentation/mime-security-assessment.md b/documentation/mime-security-assessment.md index 0036e54..bec48ea 100644 --- a/documentation/mime-security-assessment.md +++ b/documentation/mime-security-assessment.md @@ -239,3 +239,52 @@ The FlaskPaste MIME detection system is resistant to polyglot file attacks due t **Risk Level: LOW** The attack surface is minimal because detected MIME types only affect the `Content-Type` header served to clients, and browser-side exploitation is blocked by CSP and X-Content-Type-Options headers. + +--- + +## Automated Fuzzing Results + +### Fuzzer Execution + +```bash +./venv/bin/python tests/fuzz/run_fuzz.py --verbose +``` + +### Summary + +| Metric | Value | +|--------|-------| +| Total phases | 6 | +| Total requests | 192 | +| CRITICAL findings | 3 (expected behavior) | +| HIGH findings | 10 (false positives) | +| MEDIUM findings | 1 (intentional) | + +### Finding Analysis + +| Finding | Verdict | Reason | +|---------|---------|--------| +| X-SSL-Client-SHA1 bypass | EXPECTED | No TRUSTED_PROXY_SECRET configured in test | +| Header injection (10x) | FALSE POSITIVE | Werkzeug sanitizes; payloads not reflected | +| /metrics exposed | INTENTIONAL | Required for Prometheus monitoring | + +### Verification + +Header injection claims verified as false positives: + +```bash +# Host header not reflected +curl -sI http://127.0.0.1:5099/ -H "Host: evil.com" | grep evil +# (no output) + +# SQL payload not reflected +curl -s http://127.0.0.1:5099/ -H "X-Forwarded-For: ' OR 1=1--" | grep "OR 1=1" +# (no output) + +# CRLF injection blocked by Werkzeug +curl -sI http://127.0.0.1:5099/ -H "Host: evil.com +X-Injected: true" | grep X-Injected +# (no output) +``` + +**Conclusion:** The fuzzer correctly identified expected behaviors but produced false positives for header injection attacks. Flask/Werkzeug properly sanitizes all header inputs.