Skip to main contentGo back to the homepage

I am Fernando van Loenhout
A Full stack developer!

Theme:

Created:
Published:
Updated:

This article has been posted under the following categories: blog, security, xss and typescript

How I found a TypeScript public playground XSS exploit

In 2021, I was playing around with the online TypeScript sandbox, when I discovered a weird issue. When trying to write XML to the terminal, it instead of showing me the string representation, it was actually executing it.

While it makes sense for a code sandbox to execute the code you input, it is important it stays within the sandbox, as the sandbox has the proper restrictions put on the javascript environment, which includes blocking cookie access and fetch access at a minium.

The exploit

The exploit in this case was a very simple XSS attack. If you ran the code console.log('<img src="image.png">') inside the sandbox, it would literally be included this way inside the virtual console, and thus the browser would execute the HTML code. It was also possible to run scripts via the onerror tag of the image, and hence you got out of the sandbox.

console.log("<img src='https:/dffdv' onerror='document.getElementById(\"top-menu\").style.background = \"hotpink\"'/>");

When this was ran on the typescript playground website, it would demonstrate that it escaped the sandbox by changing the color of the top menu to hotpink. Because this bug is now fixed, pressing the run button now just logs it properly in the console.

Proof

My listing in the security acknowledgement feed:

In december 2021, I was acknowledged with my website ferrybig.me for something in Online Services

Timeline

  • 2021-10-28: Reported vulnerability to Microsoft
  • 2021-10-28: Got automatic response that my mail was received
  • 2021-11-01: Microsoft confirmed that they reproduced the issue
  • 2022-01-11: Confirmed fixed
  • 2022-01-11: Security acknowledgement list updated with timestamp december 2021