Cross-Site Scripting (XSS) vulnerability in Markdown
This vulnerability was reported via HackerOne. I've verified the finding and initial investigation suggests
it's caused by the %01
character prefacing the javascript scheme.
Title: [Markdown] Stored XSS via character encoding parser bypass
Scope: None
Weakness: Cross-site Scripting (XSS) - Stored
Severity: Medium
Link: https://hackerone.com/reports/270999
Date: 2017-09-22 20:33:25 +0000
By: @ysx
Details:
Hi @briann
and team,
A carefully crafted injection used against the Markdown input parser can be leveraged to store and execute arbitrary JavaScript on GitLab 10.0 hosts. Given the nature of this injection, which makes use of a rather esoteric filter bypass, the scope for exploitation may vary.
Proof of concept
I have been able to exploit the following vulnerability within project Wiki pages. Consequently, prior to reproducing this issue please set up a test GitLab 10.0 instance with a Markdown-formatted project wiki. For ease of exploitation, the use of a web intercept proxy (e.g. Burp Suite) is recommended.
-
Please proceed to access your Wiki, then select "Edit" on the homepage (or create a new Markdown page).
-
Next, please activate your web intercept proxy. After doing so, enter generic text into the "Content" field and select the "Save Changes" button.
-
Return to your web intercept proxy, and identify the POST request to the
wikis
endpoint. Within this request, please identify thecontent
parameter and replace this with the below payload. -
Finally, please POST the request and disable your web intercept proxy. Upon arriving on the updated Wiki page, please select the hyperlink to execute the JavaScript payload.
Markdown parser payload
%3Ca+href%3D%22%01java%03script%3Aconfirm%28document.domain%29%22%3EClick+to+execute%3Ca%3E%0D%0A
Supporting evidence
{F223200}
Verified conditions
At the time of testing, I have successfully confirmed exploitability in the following environment:
- Firefox 55.0.3 stable (32-bit) on Ubuntu 16.04.3 LTS
- Fresh GitLab 10.0.0 CE install