Article information
Published on:
Last update:
Reading time: 1 - 2 minutes
Tools: View source Suggest edit
How I found a TypeScript public playground XSS exploit
In 2021, I was playing around with the online TypeScript sandbox, when I discovered a weird issue. When trying to write XML to the terminal, it instead of showing me the string representation, it was actually executing it.
While it makes sense for a code sandbox to execute the code you input, it is important it stays within the sandbox, as the sandbox has the proper restrictions put on the javascript environment, which includes blocking cookie access and fetch access at a minium.
The exploit
The exploit in this case was a very simple XSS attack. If you ran the code console.log('<img src="image.png">')
inside the sandbox, it would literally be included this way inside the virtual console, and thus the browser would execute the HTML code. It was also possible to run scripts via the onerror
tag of the image, and hence you got out of the sandbox.
When this was ran on the typescript playground website, it would demonstrate that it escaped the sandbox by changing the color of the top menu to hotpink. Because this bug is now fixed, pressing the run button now just logs it properly in the console.
Proof
My listing in the security acknowledgement feed:
Timeline
- 2021-10-28: Reported vulnerability to Microsoft
- 2021-10-28: Got automatic response that my mail was received
- 2021-11-01: Microsoft confirmed that they reproduced the issue
- 2022-01-11: Confirmed fixed
- 2022-01-11: Security acknowledgement list updated with timestamp december 2021