XSS in markdown following unrecognized HTML element
Notes from Security Department
Verified on up to date gdk install. The POC is available on GitLab.com.
Note that the markdown for the link can be preceded by any
<xx> unrecognized tag.
This appears similar to #46957 (closed), so tagging the same teams.
Title: Persistent XSS via Markdown Editor Scope: None Weakness: Cross-site Scripting (XSS) - Stored Severity: High (8.8) Link: https://hackerone.com/reports/418764 Date: 2018-10-04 02:10:36 +0000 By: @otr
Details: Summary: The markdown editor of gitlab allows for a persistent XSS vulnerability via a malicious Link
A POC as payload in an issue description, comment or snippet description is.
Steps To Reproduce:
It can be reproduced anywhere where the Markdown editor is used but here I will describe it for creating a new issue. I choose this example as this in the real world has the highest chance of somebody clicking the link.
- Create a new issue
- Enter any arbitrary title in the "Title" field
- Paste the POC payload mentioned above in the "Description" field on the "Write" tab. Caution: The payload needs to have a newline after the first tag for the payload to work
- Click on "Submit issue"
- Clicking on the link called "#1 (closed)" in the issue description text leads to an alert box (XSS)
Note that I gave the link a name imitating an issue id in order to make the link likely to be clicked.
- The first screenshot attached shows the XSS payload in the markdown editor
- The second screenshot attached shows the persistent XSS payload executed after being clicked in an incognito browser window
Timeline: 2018-10-04 02:10:36 +0000: @hackbot (comment [team-only]) A pre-submission trigger was matched on this report before it was submitted. However, the reporter decided to ignore the trigger and submit the report regardless.
The following message was shown to the hacker:
This report appears to contain output from an automated vulnerability scanner. In addition to describing frequently low priority issues, these scanners commonly generate false positives that require manual validation. Submission of these results also often lead to reputation loss.