Characters in in links escaped with backslash to to injection

From Hackipedia
Jump to: navigation, search
Hackerone #46072
Target: Hackerone
Target Module:
Type: XSS
Payload: <http://\<h1\>test\</h1\>>
Original: Link
CVE:
Archive Screenshot

Hackerone reports use Markdown Editor for the report formatting engine. danlec found that links inserted to a report with characters escaped by a backslash character '\' would be ignored by the parser.

The example given on [his blog]:

<http://\<h1\>test\</h1\>>

would render as

http://<h1>test</h1>

In the orgirnal report this is one of the example attacks given:

<http://\<img\ src=0\ onerror=\"$.getJSON(\'/bugs\',function(a){alert(JSON.stringify(a));})\"\>>

The 'bugs' directory, or more simply (hacker.com/bugs.json) will list the a users entire inbox of bugs.

This attack could could be altered slightly to send the inbox info as a URL parameter to a waiting endpoint; A waiting malicious user would then be able to take advantage of unpatched buggos.


How To Perform

  1. Find a place where user supplied information is reflected
  2. Try simple reflection attacks first
  3. Ensure to use the bypass method used in this report
    1. Place a \ in front of any character that is removed by filter