XSS in static site editor!
HackerOne report #864356 by bull
on 2020-05-01, assigned to @rchan-gitlab:
Hi,
I have found an issue which can be used by an attacker to insert malicious javascript for user and take actions on behalf of the user, steal data etc.
POC:
-
go to your gitlab instance,
-
create a public project with
.md
file in it -
invite victim as
developer
to your project -
serve malicious link :
https://gitlab.example.com/USERNAME/REPOSITORY/-/sse/master/FILENAME.md?return_url=javascript:alert(document.domain)
video:
[REDACTED]
Isn't triggering on gitlab.com due to CSP, injection is there,
let me know if you need any more information or if i missed something
thanks
bull
Impact
XSS in gitlab instance!
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
[REDACTED]
Edited by Costel Maxim