XSS - javascript execution when pasting certain links

[kvn1338]

I am currently doing the PortSwigger XSS labs and taking notes in Obsidian. When I (carelessly) pasted my payloaded links into Obsidian I got an alert box. The alert did not trigger when I pasted the link with Shift+Ctrl+V, so it has to have been this Plugin.

This only happens when the lab is up and running, so you would have to start them to recreate it.

Lab: Reflected XSS into a JavaScript string with single quote and backslash escaped | Web Security Academy I pasted the following link triggering an alert in Obsidian: https://[LAB-ID].web-security-academy.net/?search=AAAA%00\';%0A%0Aalert(1);//

Lab: Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped | Web Security Academy I pasted the following link triggering an alert in Obsidian: https://[LAB-ID].web-security-academy.net/?search=\\\%27;alert();//

[kvn1338]

Also works for this one: Lab: Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped | Web Security Academy with this link https://[LAB-ID].web-security-academy.net/?search=AAAAAAAA${alert()}

Seem a a lot of reflected XSS can trigger this? It's not all of them however; for Lab: Reflected DOM XSS | Web Security Academy the link https://[LAB-ID].web-security-academy.net/?search=%5c%22%7d%3balert(1)%3b%2f%2f works on the lab, but does not trigger an alert in Obsidian when fetching the title.

[closing issue was by accident]

[blueputty01]

This is a fantastic plugin and saves me a lot of time!

@kevNii It looks like the plugin conditionally loads links in electron windows, so JS will always execute. This would solve issues of dynamic page titles and unsupported charsets with mobile fetch (please correct me if I'm wrong). You could replace the conditional at the bottom of scraper.ts with just the nonElectronGetPageTitle function if this is a concern.

Although-- nodeIntegration is enabled and webSecurity is disabled in these windows, which seems it could be a security issue?

[kvn1338]

@blueputty01 That does seem to be the issue.

What kind of saves this from being a RCE vulnerability is the introduction of context isolation in electron, which is enabled by default. Without this any website you paste would be able to use the node API and have full RCE on your machine.

However, at least to me this is still an issue, since executing any website's JS is not what I expect when I paste a link. It still enables tracking users, leaking IPs, opening new browser windows,...

[ZhymabekRoman]

As a workaround, I can suggest implementing a backend server that parses the title tag from the page and nothing more. This may cause some site titles to be broken, but introducing headless options to parse web page titles can solve this problem. See #77