Example 2

Our second example vulnerability is with the marked npm package. This is a module for parsing markdown. The issue here is that we are using marked@0.3.5 and this has a Cross-site Scripting (XSS) vulnerability.

How this is used in our sample application is that it allows for us to take Markdown input and convert this to HTML. This enables us to add items to our list with emphasis such as bold or add links.

‚Äč

So where is the vulnerability? Let's take a look through the following example. We are going to add another link to our list, but this time, we will include javascript.

[Gotcha](javascript:alert(1))

This will not work. So we can substitute with HTML entities. For example, : becomes : and ) becomes ).

[Gotcha](javascript:alert(1))

This too will not work and the output will get trimmed. So, we will break this up by typing this in our string. Our marked package will let this through and our browser will forgive our mistake.

[Gotcha](javascript&#58this;alert(1))

The result would look like this:

Now, if we click on the link we will see the javascript alert pop-up.

This is a crude example, but demonstrates the potential for something much more sophisticated to be introduced and significantly compromise security.