[Elastic] Synthetics Recorder: Code injection when recording website with malicious content (4895)

We discussed this vulnerability during Episode 203 on 10 April 2023

Code-generator gone bad! And another look at why its important to consider the context of what your escaping data for. In this case synthetics recorder could be used to generate playwright scripts (I think?) to replay a capture interaction. In the code that it would generate when waiting for a navigation to complete it would generate code something like the following:

page.waitForNavigation(/*{ url: 'https://example.com' }*/),

The URL being waited on is controlled by the user, and it simply performs escaping to prevent the url from escaping the quotes…but the context is that it is inside a comment, the quotes don’t matter, you just need to include a */ inside of the URL to escape the comment, and start injecting arbitrary JavaScript. It does take an attacker in a privileged position to be recording a session and visit a hostile web application with such a malciious URL, but there are some contexts where this could be exploited.