# Markdown Parser (XSS Scripting) ## Description I built this simple markdown parser. Please give me some feedback (in markdown), I promise to read them all. Current features include: bold, italics, code blocks with syntax highlighting! Author: ocean http://challs.nusgreyhats.org:33335 [code](https://ctfd.nusgreyhats.org/files/29b0bd5a0c29e0dd06ea5e99d85a0eb4/dist-markdown-parser.zip?token=eyJ1c2VyX2lkIjoxNjQ4LCJ0ZWFtX2lkIjo1MDQsImZpbGVfaWQiOjM2Nn0.ZicOdg.nWW38dapftkKXDR0rrEhmujM_w0) ## Solution Lets start with the code in admin.js: ```javascript= try { await page.setCookie({ name: 'flag', value: process.env.FLAG || 'flag{fake_flag}', domain: cookieDomain, httpOnly: false, samesite: 'strict' }) await page.goto(url, { timeout: 6000, waitUntil: 'networkidle2' }) } finally { await page.close() await ctx.close() } ``` telling us the flag is in the cookie and we need to find a way to access `document.cookie` now we look for vunerabilities in markdown code usually escapeHtml handles blocking this attack however it was not done everywhere in markdown.js ```javascript= if (line.startsWith('```')) { language = line.substring(3).trim(); inCodeBlock = true; htmlOutput += '<pre><code class="language-' + language + '">'; ``` so starting with ``` will allow for your attack  results in  now let inset the XSS script for example:  will result in an alert:  and  to get `document.cookie`  and should get  ## Flag #### grey{m4rkd0wn_th1s_fl4g}