Cross-Site Scripting (XSS) vulnerability in Markdown
This vulnerability was reported via HackerOne. I've verified the finding and initial investigation suggests
it's caused by the
Title: [Markdown] Stored XSS via character encoding parser bypass
Weakness: Cross-site Scripting (XSS) - Stored
Date: 2017-09-22 20:33:25 +0000
@briann and team,
Proof of concept
I have been able to exploit the following vulnerability within project Wiki pages. Consequently, prior to reproducing this issue please set up a test GitLab 10.0 instance with a Markdown-formatted project wiki. For ease of exploitation, the use of a web intercept proxy (e.g. Burp Suite) is recommended.
Please proceed to access your Wiki, then select "Edit" on the homepage (or create a new Markdown page).
Next, please activate your web intercept proxy. After doing so, enter generic text into the "Content" field and select the "Save Changes" button.
Return to your web intercept proxy, and identify the POST request to the
wikisendpoint. Within this request, please identify the
contentparameter and replace this with the below payload.
Markdown parser payload
At the time of testing, I have successfully confirmed exploitability in the following environment:
- Firefox 55.0.3 stable (32-bit) on Ubuntu 16.04.3 LTS
- Fresh GitLab 10.0.0 CE install