# [HIGH] Fixing `marked` XSS vulnerability

**Source:** Snyk
**Published:** 2016-05-15
**Article:** https://snyk.io/blog/marked-xss-vulnerability/

## Threat Profile

Snyk Blog In this article
Written by Guy Podjarny 
May 15, 2016
0 mins read A few weeks ago we added to our DB a Cross-Site Scripting (XSS) vulnerability in the popular marked package. This post explains the vulnerability, shows how to exploit it on a sample app, and explains how to fix the issue in your application.
marked parses Markdown and converts it into HTML, making it easy to turn rendered user input - user comments, product reviews, support calls - into rich(ish) text, supporting links,…

## Indicators of Compromise (high-fidelity only)

- _No high-fidelity IOCs in the RSS summary._ If the source publishes a technical write-up with defanged IOCs in the body, those would be picked up automatically on the next pipeline run.

## MITRE ATT&CK Techniques

- **T1059.007** — Command and Scripting Interpreter: JavaScript

## Kill chain phases observed

_(none detected from narrative keywords)_

## Recommended hunts

### marked Markdown XSS sanitizer bypass — entity-encoded 'javascript&#58' payload in web requests

`UC_3384_0` · phase: **exploit** · confidence: **Medium** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.url="*javascript&#58*" OR Web.url="*&#58this*" OR Web.uri_query="*javascript&#58*" OR Web.uri_query="*&#58this*") by Web.src Web.dest Web.url Web.uri_query Web.http_method Web.http_user_agent Web.status
| `drop_dm_object_name(Web)`
| convert ctime(firstTime) ctime(lastTime)
| sort - lastTime
```

**Defender KQL:**
```kql
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl contains "javascript&#58" or RemoteUrl contains "&#58this"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
| sort by Timestamp desc
```


## Why this matters

Severity classified as **HIGH** based on: 1 use case(s) fired, 1 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.