Level 10: Naive Markdown Parser
MISSION: The system securely converts standard Markdown links into HTML. Find a way to abuse the resulting href attribute to execute JavaScript.
/// SOURCE CODE INSPECTOR ///
// Client-Side Markdown Parser
let userInput = params.get('payload');
// The developer wrote a custom regex to parse markdown links.
// It converts [Text](URL) into <a href="URL">Text</a>
// FLAW: It does not check if the URL scheme is HTTP/HTTPS.
let parsedHTML = userInput.replace(/\[(.*?)\]\((.*?)\)/g, '<a href="$2">$1</a>');
document.getElementById('preview').innerHTML = parsedHTML;/// DECRYPTION COMPLETE ///
The regex replaces standard markdown syntax into an anchor tag but fails to validate the protocol of the URL. By passing a javascript: pseudo-protocol as the URL, the link becomes a vector for XSS when clicked.
Payload:
[Click Me](javascript:alert(1))