Exploit must not report or translation difficulties

Screw you guys, I'm going home!
- Eric Theodore Cartman

It was not with this that I wanted to start, and not even with so many letters, but ... I will tell a little Christmas tale or story, and maybe even a truth.

For a Catholic Christmas, I’m fooling Santa to present a vulnerability in a large language resource, one bit at a time: we know what we need, but for some reason, it’s like zab (s), like XSS, in markdown .
')
Before proceeding, I will not make a big digression about the structure of the article. I divided into three parts: practical, polling and philosophical, and for more readability and mystery I also introduced variables:

X - language service
H - main on X
d ∈ D - the development team of X or just D
S - Santa Claus, who just fell asleep with gifts from North Korean hackers last year.
Z - vulnerability aka gift aka Christmas miracle
Y - the user whom S presented Z

Part One Practical

The author does not know for what reason and for what reasons D decided to use it on the X markdown forum, while fully entrusting users, of course this is the main part of the ecosystem, the desire to please users or banal laziness. Here only guesses are possible, and I think the answer we will never know from them.

A Catholic Christmas arrived and being a good boy in the past year, Y found under the tree Z from S , "What the ...", Y exclaimed, but like any child he decided not to bother about his exclamation, but immediately play around with Z on X and What was his surprise when the banal [test] link (javascript: alert ('xss')) brought him "XSS". "Miracle?! A gift! ”, - you say, you can call it differently and razdolbaystvom the same, but adhering to ethical hacking Y still decided to share with his gift c D and warn other X users about such a miracle that could lead to miracles of a more serious scale up to the theft of their data, spam or turning their computing device into one of the nodes of the next botnet or pumpkin. But due to the fact that D , for some unknown reason, hid the magic “support” button, for direct access to them from the Russian-speaking community, Y decided to congratulate them on the forum in the support section for English-speaking users, leaving them a simple alert and asking to close this problem.

The day passed, the New Year was already on the threshold, but D did not respond about Z , and during this time the guy from Kiev, using Z , finalized the X functionality, which was removed by D , but still in demand by users, and another user from Germany, decided to check the possibility: not visible to users of the operation of Z , using onmouseover and onload on the image. “Hmm,” said Y , seeing that his message was never read by D. “Maybe I didn’t write there,” he thought, and left another not great message, but in the Russian-speaking part X about the found gift, which the girl O responded to, realizing what scale miracles can be using Z , she suggested another way to D , through direct messages on their profile page, having unrolled the Z gift completely, except Y still hung on onmousever not a big greeting in the alert form, but only with “Happy New Year”, all the same New Year, Christmas spirit, and only then wrote H about Z and lo D responded by removing all the posts on the English Y h STI Forum, while not touching the Russian-speaking part and leaving Y banal; Thanks c promise We'll fix this soon. But Y was not enough, and then he decided to ask H : “And why did D delete all my warnings?”, To which H wisely remarked: "Because ". But what about the Christmas spirit, how an ordinary alert can lead to a browser suicide," you ask, of course, it’s not nice to get an alert, but after all, Happy New Year and you can always close the page, but leave it on H’s conscience. So Y decided, and with a sense of accomplishment, he went to bed with the hope that miracles would stop at X tomorrow.

The calendar already had December 31, last year’s snow fell, the smell of mandarin and the sounds of insanity in the kitchen woke Y , his computing device was not ready for new presents, but Y decided to check Z and how upset he was when he found out that miracles continue, but since only 8 hours have passed and probably D is working on the problem, Y left another congratulation on the coming new year, only in the Russian part, so as not to embarrass D , in the form of a smiley, when clicked, the object would be created with reference to the clip r uppy ABBA «Happy New Year». Here is what he got in the end:

{@id=abba} This is *red{@style=color:red;}.* [some text{@id=test}](javascript:%76%61%72%20%61%20%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%72%65%61%74%65%45%6C%65%6D%65%6E%74%28%27%6F%62%6A%65%63%74%27%29%3B%61%2E%77%69%64%74%68%20%3D%20%34%32%30%3B%61%2E%68%65%69%67%68%74%20%3D%20%33%31%35%3B%61%2E%64%61%74%61%20%3D%20%22%2F%2F%77%77%77%2E%79%6F%75%74%75%62%65%2E%63%6F%6D%2F%65%6D%62%65%64%2F%33%55%6F%30%4A%41%55%57%69%6A%4D%22%3B%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%42%79%49%64%28%22%61%62%62%61%22%29%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%61%29%3B%61%6C%65%72%74%28%22%54%68%69%73%20%69%73%20%41%42%42%41%21%22%29%3B) ![test {@onclick=document.getElementById('test').click() }](http://icons.iconarchive.com/icons/rokey/popo-emotions/128/big-smile-icon.png) 

Not much rest from the Christmas story and analyze this message, the first thing needed was a container where the object tag would be added with a link to the clip, for this we assign the identifier {@ id = abba} to the main container of the topic, you don’t think The classic version did not work {: #abba}, then it was necessary to hide the code somewhere, but before that it had to be encoded as a link, since the parser processed quotes and more and less characters, after which an image with a smiley was selected and for the onclick event was better call document.getElementById ('test'). click (), due to the fact that the parser processed spaces.

12 hours passed, but nothing happened, Z was never closed, so outraged Y decided to leave one more greeting in plain text warning that users worked less on the forum and asked H when D would solve the problem, but in response his topic was deleted again, and the unimportant moderator asked Y not to write about the problem and not to warn users, since he would not achieve anything by that, saddened Y started sowing with X , but soon received a message from the indifferent US user who was from parts agree c y and finally explained what all the same “soon” means, the author will cite the full text of messages from a caring user, so as not to pull anything out of context.

M: That's fascinating, I had no idea what was possible, but it definitely worked. I’m removed, it’s quite serious. If you are on the screen, you should report this issue. I'll report the issue as well.

I would like to try it out. It’s not possible to stop using it. If you’re trying to fix it, it’s not a problem. I don't necessarily agree.

M: Soon "doesn't necessarily mean" instantly. "It’s a small team though. It is not so easy, since it’s been so long as it’s possible to get it. done.

After reading encouraging messages, Y deleted all his topics, presented his Tugrik earned during the course of the course to Evangelist X for his Russian language (syllable), disconnected the account and joined the festive table ...

Well, at the end of this story, the author would like to quote Alexander Sergeevich Pushkin, but not a lot of changing his imperishable lines: “Tale -! a lie, but there is a hint in it - a good lesson is a lesson ... "

Part two survey

• How would you congratulate users on the upcoming New Year using this XSS vulnerability on the forum?
• How would you arrive at the site of a large resource developer after learning about such a problem before the New Year, while keeping in mind that the forum is also available to anonymous users in readonly mode?
• And the last question, where would you put a comma and would you put it in this sentence: “it is impossible to exploit to inform”.

Part Three Philosophical

About the developers

The author did not write about what Y said about them, otherwise they would consider it as a complaint, but from all that he said he would single out the following logical chain: if this problem cannot be closed within a week, they are not given a high priority, which is what developers are silent, what miracles can wait for users of their service!? And the author would like to add on this occasion: "Shit Happens".

About users

What is more saddened Y from this whole story is the illiteracy of users, especially in the Russian-speaking parts of the forum, unlike the English-speaking parts, where users raised the topic up, so that the developers noticed, Russian-speaking people on the contrary, if they wanted, mined everything and said: "why, yes, and who needs it, ”someone will say XSS is not serious, but the author would compare it with a kiss after which everything only begins, unless of course you get a slap or a blow in the gut.

About language courses

There will definitely be no complaints and nothing like that, just the author will quote Y and a few wishes, which would like to see the courses, maybe this has already been done by someone:

I would compare them with the usual arcade, which delays, cool when everything blinks, explodes, you earn Tugriks, cheer, simplify the task at the end, when you can’t pass the level and now at the end there is a splash screen with congratulations about the full passage, you postpone the joystick, phone, laptop, only one thing revolves in your head: “it was awesome”, but gradually the euphoria subsides and you begin to notice that the lessons are not done, the house is not cleaned, the dishes are not washed, the fish died, and you can only say with the skills a couple not with knitted sentences.

• It would be great, for example, to read Bram Stoker’s Dracula, in the original, and immediately there is an analysis of the constructions, references to the rules and the dictionary, and after reading the next chapter would give a test for certain rules of the language being studied, then the sentences would not look like X would be so wild and pulled out of context.
• Courses should adapt, but not simplify the task, and identify the best way to present information for the student, people are different; Someone easier through the text, someone easier through speech, and someone through the images and so on.
• We think in Russian, so why are we being forced to translate from English to Russian all the time, it may be better to have a hand in the reverse translation from Russian to English first, and already to replenish the vocabulary from English, yes of course there is one thing but translations from Russian to English would not be worth a penny.
• Y agrees with Petrov that we first need to highlight the features, language constructs, and then just start learning, it’s like programming two courses that drag us to the hair with higher mathematics, compiler theory, operating systems, algorithms and design patterns, and then just go to high-level languages.

Conclusion from the author: do not trust users, otherwise they will not trust you.