Executive Summary
- Challenge: PageOneHTML
- Category: Web Security
- Vulnerability: Server-Side Request Forgery (SSRF) via gopher:// protocol
- Impact: Access to internal API endpoint leading to flag disclosure
- Flags:
- Local:
HTB{f4k3_fl4g_f0r_t3st1ng} - Remote:
HTB{l1bcurL_pla7h0r4_0f_pr0tocOl5}
- Local:
Source-to-Sink Analysis
1. Entry Point - User Input (Source)
The vulnerability starts at /api/convert endpoint which accepts user-controlled markdown content:
// routes/index.js:15-28
router.post('/api/convert', async (req, res) => {
const { markdown_content, port_images } = req.body; // User input
if (markdown_content) {
html = MDHelper.makeHtml(markdown_content); // Convert MD to HTML
if (port_images) { // If port_images is true
return ImageConverter.PortImages(html) // Process images
.then(newHTML => res.json({ content: newHTML }))
.catch(() => res.json({ content: html }));
}
return res.json({ content: html });
}
return res.status(403).send(response('Missing parameters!'));
});
2. Image Processing - Protocol Confusion
The ImageConverter extracts all <img> tags and processes their src attributes: