{"id":14436,"date":"2017-08-30T16:10:27","date_gmt":"2017-08-30T14:10:27","guid":{"rendered":"https:\/\/codisec.com\/?p=14436"},"modified":"2023-03-22T16:29:56","modified_gmt":"2023-03-22T15:29:56","slug":"xss-rocket-chat-markdown-parser","status":"publish","type":"post","link":"https:\/\/codisec.com\/xss-rocket-chat-markdown-parser\/","title":{"rendered":"XSS in Rocket.Chat Markdown parser"},"content":{"rendered":"

Recently, we’ve observed a strange behavior of the chat service platform we’re using for everyday communication – Rocket.Chat<\/a>. Rocket.Chat allows users to format their messages with Markdown syntax. Among available options, there is inline code syntax – `code`<\/code>, which will produce the following message:<\/span>\"\"<\/p>\n

and ![title](http:\/\/url.to.image)<\/code>, which will result in an image with specified title as an attribute of <a><\/code> tag.<\/span><\/p>\n

However, combining those two together results in a very strange output message – ![`foo`](http:\/\/bar)<\/code> will display:<\/span><\/p>\n

\"\"<\/p>\n

It looked like some fault in parser, so we couldn’t wait to see if we can exploit it\u2026<\/span><\/p>\n

Exploitation<\/h2>\n

Let’s take a closer look at HTML rendered from examples above:<\/span><\/p>\n

Inline code `s`<\/code> is rendered as:
\n<code class=\"code-colors inline\">s<\/code> <\/code><\/p>\n

Embedding image ![foo](http:\/\/bar)<\/code> results with:
\n<a href=\"http:\/\/bar\" title=\"foo\" target=\"_blank\"><div class=\"inline-image\" style=\"background-image: url(http:\/\/bar);\"><\/div><\/a><\/code><\/p>\n

When used together in ![`foo`](http:\/\/bar)<\/code>:
\n<a href=\"&lt;a href=\" http:=\"\" bar\"=\"\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/bar<\/a>\" title=\"`foo`\" target=\"_blank\"><div class=\"inline-image\" style=\"background-image: url(http:\/\/bar);\"><\/div><\/code><\/p>\n

In the last example we can see weird things: `foo`<\/code> was not parsed as a code (it remains unchanged as a value of title<\/code> attribute), and the http:\/\/bar<\/code> value of href<\/code> attribute was for some reason converted to a HTML link, causing tag nesting. What’s interesting is that the\u00a0bar<\/code> string is treated as an attribute of <a><\/code> tag rather than value of href<\/code>.<\/span><\/p>\n

We know we can control the attribute name of <a><\/code> tag – can we also control the value?<\/span><\/p>\n

![`foo`](http:\/\/bar=val)<\/code>:<\/span><\/p>\n

<a href=\"&lt;a href=\" http:=\"\" bar=\"val&quot;\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/bar=val<\/a><\/code><\/span><\/p>\n

Partially – yes. Unfortunately, we are restricted by a few constraints. After a couple of tests we knew the following:<\/span><\/p>\n