Dec 24, 2023

Nuxt Content Exploit Guide

The Nuxt Content Module can easily be misused leading to a number of different vulnerabilities. This guide introduces each issue with POC exploits.

What is Nuxt Content?

Nuxt Content is a module developed by the core Nuxt team that allows developers to easily integrate multiple document formats with their Nuxt App.

Abusing the Markdown Renderer

Nuxt's Markdown renderer is incredibly powerful, including support for Markdown Components (MDC) and Front-matter.

While these work brilliantly for static content, you should be wary when attempting to use these features with untrusted user input as Nuxt MDC, the underlying module that adds support for Markdown, is not built to prevent XSS.

If you observe markdown behaviour in a Nuxt application, it's worth testing for these issues!

Prior to v2.7.0

Prior to v2.4.0 there was absolutely no protection against XSS, v2.4.0 introduced protection against the script element, this can be circumvented using an image tag with an onerror handler, e.g:

<img src=x onerror=alert('xss!')>

v2.7.0 further restricted href, src & onXXXX attributes, this can be bypassed using the srcdoc attribute on iframe:

<iframe srcdoc=&lt;script&gt;alert(1)&lt;/script&gt;></iframe>

Filter Bypass

If the > & < symbols are being filtered or restried, you can use MDC syntax to bypass this.

::Iframe{srcdoc=&lt;script&gt;alert(1)&lt;/script&gt;}
::

Front-matter

The front-matter is a feature of Nuxt Content that allows you to embed some data in the document. One of the features is being able to modify sections of the head tag. We can abuse this to create a script with an embedded malicious script.

---
head: { script: "alert(1)" }
---

Finding Hidden Articles

Authors may start writing their content & publish it accidentally before it's intended release. There could potentially be sensitive information here, while it may not be displayed in the UI, it's still possible to get your hands on it.

Nuxt Content comes equipt with an API you can query freely, to fetch all articles make a request to:

/api/_content/query?_params={}

It could be worth searching for articles marked _draft: true or similar patterns.

Reconnaissance

Nuxt Content opens a few opportunities to gather some intelligence, such as installed packages, versions and build time.

The component metadata endpoint reveals information about operating system, file paths, package versions and some of the packages used to make the application.

/api/component-meta

You can check if the Nuxt Studio Module is installed.

/__studio.json

The payload section of the HTML contains an integrity attribute. This is the timestamp when the page was built.

<script>
window.__NUXT__={};
window.__NUXT__.config={
    public: { 
        content:{ locales:[], defaultLocale:"", integrity:1703272296286 }
    }, ...
}
</script>

Nuxt Studio UXSS

Using Nuxt Studio requires the Studio Module to be installed. Prior to v0.14.1 an XSS vulnerability existed due to a lack of postMessage origin checks and a weak check for the preview token. You can identify the version by looking at the /__studio.json file.

I've created a proof of concept.