Skip to content

VULN-35559 Fix XSS via URI fragment in Marketo configurator#6225

Open
jsandland wants to merge 2 commits into
stagefrom
xss-attack
Open

VULN-35559 Fix XSS via URI fragment in Marketo configurator#6225
jsandland wants to merge 2 commits into
stagefrom
xss-attack

Conversation

@jsandland

@jsandland jsandland commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Sanitize all string values loaded from the URL hash in getHashConfig() before they enter state or localStorage
  • Uses the browser's HTML parser (el.innerHTML = value; return el.textContent) to strip tags and event handlers
  • Prevents form.cta.override and form.success.content XSS payloads from reaching window.mcz_marketoForm_pref, which Marketo's forms2.min.js injects as raw HTML

Resolves: VULN-35559

Attack vector (fixed)

A crafted URL fragment containing JSON with form.cta.override: "><img src=x onerror=eval(top.name)> caused Marketo's external JS to inject the payload as raw HTML, executing arbitrary JS in the milo.adobe.com origin. The attack used window.name to carry an unbounded exfil payload across the navigation, exfiltrating the victim's Adobe IMS access token (bearer token valid for API calls against Adobe IMS), full name, email, account details, and all cookies from adobe.com. A valid access token allows the attacker to impersonate the victim against Adobe APIs for the duration of the token's validity, which is effectively full account takeover for any signed-in Adobe user who visits the crafted URL.

How to validate

  1. Set up an httpworkbench.com instance and configure the httpworkbench hostname / delivery page response body as described in VULN-35559, setting the collector URL to your instance
  2. Sign in to your Adobe account in the test browser

Prod (unfixed):

  1. Visit the httpworkbench hostname / delivery page -- it will redirect to the PoC URL from VULN-35559
  2. Check your httpworkbench instance -- you will see a POST containing your cookies, sessionStorage, and Adobe IMS access token

Feature Branch (fixed):
5. Update the delivery page POC URL in workbench to point to https://xss-attack--milo--adobecom.aem.page/tools/marketo?preview=1 keeping the hash from the PoC URL in VULN-35559 unchanged
6. Visit the httpworkbench hostname / delivery page again
7. Check your httpworkbench instance -- no POST is received, only the initial GET from the delivery page load

Test plan

  • Unit tests added for sanitizeConfigValue and sanitizeHashConfig covering the reported payload, svg/onload variant, plain text preservation, and non-string passthrough
  • Verified on https://xss-attack--milo--adobecom.aem.page/tools/marketo with full PoC hash -- exfil POST no longer fires
  • Verified prod still vulnerable without fix (confirms test is meaningful)
  • All existing marketo-config tests pass

Sanitize all string values loaded from the URL hash in getHashConfig()
to strip HTML tags before they enter state or localStorage, preventing
injection of event-handler payloads (e.g. onerror, onload) via
form.cta.override and form.success.content into window.mcz_marketoForm_pref.
@aem-code-sync

aem-code-sync Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Hello, I'm the AEM Code Sync Bot and I will run some actions to deploy your branch.
In case there are problems, just click the checkbox below to rerun the respective action.

  • Re-sync branch
Commits

@github-actions

Copy link
Copy Markdown
Contributor

This pull request is not passing all required checks. Please see this discussion for information on how to get all checks passing. Inconsistent checks can be manually retried. If a test absolutely can not pass for a good reason, please add a comment with an explanation to the PR.

Comment thread libs/blocks/marketo-config/context.js Outdated
Setting innerHTML executes event handlers (onerror, onload) during
sanitization itself. DOMParser parses HTML in an inert context where
event handlers do not fire.
@github-actions

Copy link
Copy Markdown
Contributor

Reminder to set the Ready for Stage label - to queue this to get merged to stage & production.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants