After last challenge we’ll move onto the one that is a continuation of the previous Marcodowno challenge. Once again we have to find a XSS vulnerability in a website that triggers without any user interaction, but this time the vulnerable code has changed.

Fine, I'll use a damn lib. Let's see if it's any better.


Let’s jump straight to the code, as we’re already familiar with the functionality from the previous challenge and not much has changed.

input = decodeURIComponent([^&#]+)/)[1]);

  mermaid.init(undefined, $("#render"));

function rerender(){
    $("#render").html();$("#render").removeAttr("data-processed");$("#render").text($("#markdown").text());mermaid.init(undefined, $("#render"));
    $("#render").html("<font id='error' color=red></font>");

This time, instead of using a bunch of regexp, we have a library called mermaid. We can see that it’s up to date with version 8.0.0 used.

    <script src=""></script>

Mermaid is a simple markdown-like script language for generating charts from text via Javascript. We can see how it’s used in many examples available in documentation.

    Alice->>John: Hello John, how are you?
    John-->>Alice: Great!

Firstly, I’ve tried to look for vulnerabilities online but no luck. After spending some more time online, I’ve found a way to place html into a node in chart.

graph LR


And it’s actually working. But I could not get <script>alert(1)</script> to spawn, something in the library was throwing errors. Upon further examination, I’ve noticed that it’s not the script that causes the error but () characters.

As I knew the cause, I’ve decided to search in Google for similar problems and maybe, solutions? And with this issue, I’ve found a solution working with the XSS in img tag.

graph LR
id1("<img src='' onerror='alert(1)'></img>")


With the working exploit, we can submit the URL and get the flag.