A photo of a cute puppy.

Exploiting XSS via Markdown

I recently came across a web application in which I was able to exploit a Cross-Site Scripting (XSS) vulnerability through a markdown editor and rendering package. It was the first time I had come across this type of vulnerability, and I found it particularly interesting because it allowed me to bypass multiple layers of XSS filtering that was implemented in the application. Here’s a short article on how I came across the vulnerability and set about crafting an exploit....

8 February 2019 · 7 min · 1350 words · Jakob Pennington
A graphic of a HTML script tag fading into the background.

Minifying XSS

Cross-Site Scripting is still one of the most prevalent web application vulnerabilities, and has featured in each revision of the OWASP Top 10 since the list was first published in 2010. Peaking at #2 in 2010, XSS was knocked off the podium for the first time in 2017, coming in at #7 on the list. This demotion may be due to the rise in popularity in Single Page Application (SPA) front-end frameworks such as React, Angular and Vue, which often include built-in sanitation to prevent these attacks....

18 March 2018 · 8 min · 1492 words · Jakob Pennington