XSS in markdown following unrecognized HTML element
Notes from Security Department
Verified on up to date gdk install. The POC is available on GitLab.com.
Note that the markdown for the link can be preceded by any <xx>
unrecognized tag.
This appears similar to #46957 (closed), so tagging the same teams.
From HackerOne
Title: Persistent XSS via Markdown Editor
Scope: None
Weakness: Cross-site Scripting (XSS) - Stored
Severity: High (8.8)
Link: https://hackerone.com/reports/418764
Date: 2018-10-04 02:10:36 +0000
By: @otr
Details: Summary: The markdown editor of gitlab allows for a persistent XSS vulnerability via a malicious Link
Description: Generally Javascript URLs within an anchor tag lead to XSS. In the markdown editor it is not directly possible to insert a javascript URL as a link in the markdown editor because the link is then not clickable.
However putting a link in an unclosed tag allows to make even a javascript link clickable.
A POC as payload in an issue description, comment or snippet description is.
POC Payload:
<xxx> [#1](javascript:alert%28document.domain%29)
This executes Javascript on the domain Gitlab is installed on.
Steps To Reproduce:
It can be reproduced anywhere where the Markdown editor is used but here I will describe it for creating a new issue. I choose this example as this in the real world has the highest chance of somebody clicking the link.
- Create a new issue
- Enter any arbitrary title in the "Title" field
- Paste the POC payload mentioned above in the "Description" field on the "Write" tab. Caution: The payload needs to have a newline after the first tag for the payload to work
- Click on "Submit issue"
- Clicking on the link called "#1 (closed)" in the issue description text leads to an alert box (XSS)
Note that I gave the link a name imitating an issue id in order to make the link likely to be clicked.
Supporting Material/References:
- The first screenshot attached shows the XSS payload in the markdown editor
- The second screenshot attached shows the persistent XSS payload executed after being clicked in an incognito browser window
Impact
The attacker can execute Javascript in the context of other authenticated Gitlab users that click on malicious issue, snippet or comment links.
Timeline: 2018-10-04 02:10:36 +0000: @hackbot (comment [team-only]) A pre-submission trigger was matched on this report before it was submitted. However, the reporter decided to ignore the trigger and submit the report regardless.
The following message was shown to the hacker:
This report appears to contain output from an automated vulnerability scanner. In addition to describing frequently low priority issues, these scanners commonly generate false positives that require manual validation. Submission of these results also often lead to reputation loss.