HermanMartinus / bearblog

Free, no-nonsense, super fast blogging.
MIT License
2.7k stars 77 forks source link

XSS via markdown #32

Closed lud99 closed 4 years ago

lud99 commented 4 years ago

It is possible to perform xss in both the home page and the blogs, and likely anywhere where you can enter markdown. This is the payload I used, but there are probably others that work aswell: ![](x"onerror="alert('1'))

Example with this in action

HermanMartinus commented 4 years ago

I'd come across this before and I haven't patched it as I can't think of how it could be malicious (the site the the script is being injected into being that user's own site). The reason I prevented <script> tags was to dissuade people from embedding JS in the site on more of an ethos level.

I have made a note to patch this though. Out of curiosity, what kind of malicious activity could be performed using code injection here?

lud99 commented 4 years ago

It would be possible to make a fake login page where an attacker could possibly steal a visitors login credentials. It would also be possible to redirect someone to a malicious website or something unwanted. However it isn't possible to steal the visitors session cookie or make requests to delete their account on behalf of them, as you have implemented (as far as I can tell) proper CSRF protection. Many of the potential malicious uses aren't availabe as the blog uses a different domain than the admin page does.

Some smaller but maybe not as practial things can be performed, such as setting a cookie for the root domain (example: overriding the session id to logout someone, or login someone else on the visitors device with another session id. I haven't tested this, but it might also be possible to make the visitor automatically 'toast' your post.

HermanMartinus commented 4 years ago

Yeah, I hear you. I did create a protected subdomain list as I did have someone trying to create a fake login page at login.bearblog.dev.

It's a bit complicated to resolve as markup needs to be injected while deactivating executable code (as people still need to be able to insert, say, script tags as text). I'm thinking of using Bleach. Will update this issue when I figure it out :)

weekendproject #donoevil

HermanMartinus commented 4 years ago

Cool. I'm now sanitizing content using lxml https://github.com/HermanMartinus/bearblog/commit/ea7681e591408ce82289195e69fd6d15584c80c0

It solves the example you've posted above, and I've run it through some other test cases. It may not be perfect, but it's caught everything I've thrown at it so far.