[gregsadetsky]

oh no -- it's actually vulnerable to xss...!!!

https://joshcsimmons.com/post/eNpTVlaoKC5WSEnNzefisilOLsosKL...

(this just injects a <script> alert but.... that's bad)

just tried contacting the author via linkedin (since I don't see an email address on their site)

@joshcsimmons are you around?

[hiatus]

The author is aware.

> Every post that I want to publicly claim authorship of lives at the root of this site. If you are reading a post that I have claimed it will look like this page. Posts of unknown authorship have a disclaimer at the top of the page.

https://joshcsimmons.com/post/H4sIAAAAAAAA%2F3xV227cRgx911cQ...

[hk__2]

> The author is aware.

Since the website is vulnerable to XSS, you could inject a script that removes the disclaimer.

[gregsadetsky]

100%. poc:

https://joshcsimmons.com/post/eNqzKU4uyiwosUvJTy7NTc0r0UtPLX...

[cengizIO]

Very clever. For those wondering, this won't gunzip since it's compressed using zlib. you must do a chain like this: URL Decode -> Base64 Decode -> Zlib Inflate.

[gregsadetsky]

right on! I used https://bugdays.com/gzip-base64 to go back and forth.

base64 generates slashes, so the site (and I) run encodeURIComponent in the devtools on the resulting base64 to make sure it's completely url-safe.

---

the poc "payload" is

eNqzKU4uyiwosUvJTy7NTc0r0UtPLXHNSQUxi50qnXMSi4v9EnNTNdRzMtMzStQ1ow1i9YpSc%2FPLUjU0bfShmrm4lBVKMjKLFYAoKTEFACeDHYg%3D

which uri-component-decodes to:

eNqzKU4uyiwosUvJTy7NTc0r0UtPLXHNSQUxi50qnXMSi4v9EnNTNdRzMtMzStQ1ow1i9YpSc/PLUjU0bfShmrm4lBVKMjKLFYAoKTEFACeDHYg=

which un-base64+gzip's to (using the site I posted above):

  <script>document.getElementsByClassName('light')[0].remove()</script>

  # this is bad

[joshcsimmons]

Hah this is clever. Mixed feelings on patching this but I patched it for now.

[pwdisswordfishc]

s/removes the disclaimer/exploits a browser 0-day/

[Dylan16807]

There are much less weird links you can give someone if you have 0-day. I don't think that's a problem worth worrying about for the author.

[pwdisswordfishc]

It’s a problem worth worrying about for users who maintain whitelists of domains they allow JavaScript from.

[gregsadetsky]

for sure, there's awareness and then there's disregard of any basic web security.

the second they start hosting any application/backend/cookie-enabled thing on this domain name, anyone could inject a script via their /post/ gzip-base64 scheme, and do bad things...?

I don't think html sanitization would go against the principle of this idea. just... at the very least strip the tags! :-)