Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.
Using insecure npm packages can lead to this vulnerability. Some projects today help test and alert on insecure dependencies:
This library has reached almost millions of downloads a month, making it quite popular with also 11,000 stars on GitHub at one point.
In this demo project we are using an insecure version of the Marked library that is vulnerable to XSS exploits.
Scenario: A form on a page allows free text user input which is later parsed using the Marked library to markdown format and compiled in a dedicated view to show the rich text version. An attacker can exploit this form to insert malicious XSS strings which the Markdown library isn't filtering very well, resulting in an XSS attack.
Try sending one of the following markdown syntax strings in the Memos section to exploit it and see which one succeeds: