A Tale of Two XSS in the Rails HTML Sanitizer

12 minute read Published:

Short write-up on CVE-2022-23519 and CVE-2022-23520, two XSS vulnerabilities in the Rails HTML sanitizer. There are some explanations of the vulnerabilities, the though process and code snippets used for fuzzing.
A while ago I was writing an application based on the Rails framework which returned sanitized user input. Its purpose was to build a PoC for an XSS vulnerability in the Rails HTML sanitizer (CVE-2022-32209, which appeared in June 2022). The following is a short write-up of that endeavour and how it turned into the discovery of two additional CVEs. I start with a discussion of the original CVE-2022-32209, proceed with an investigation of the fix and how it turned out to be incomplete (CVE-2022-23520), explain how that motivated additional fuzzing which uncovered additional working attack payloads (CVE-2022-23519) and conclude with a brief outline of the fix (entirely designed and implemented by flavorjones).

Filters and Bypasses - Rare IPv4 Formats for SSRF

5 minute read Published:

A short description of the many ways there are to write down an IP address, along with an online IP address encoder that will create alternative representations for any IP you enter. Useful for filter bypasses when testing for SSRF.
Many applications these days do network requests on behalf of their users. For example, it is often possible to define webhooks, where users can specify URLs to which a server shall send HTTP requests when certain events occur. Other applications may allow uploading images by URL or they may generate PDFs from HTML rendered server-side, which could contain URLs (see here). In all these examples, users provide input to specify the destinations of server-side network requests.