Dos by Exploiting math feature on issue page.
HackerOne report #1350793 by cancerz
on 2021-09-24, assigned to GitLab Team:
Report | Attachments | How To Reproduce
Report
Exploiting markdown with math
feature supplyng large value result with dos on issue page.
Summary :
the markdown documentation available on docs.gitlab.com
Math
View this topic in GitLab.
Math written in LaTeX syntax is rendered with KaTeX.
Math written between dollar signs $ is rendered inline with the text. Math written in a code block with the language declared as math is rendered on a separate line:
This math is inline $`a^2+b^2=c^2`$.
This is on a separate line:
```math
a^2+b^2=c^2
I was trying the dos attack with basic math
with this payload:
a^2+b^2=c^2+a^2+b^2=c^2+a^2+b^2=c^2 and more than 1000character.
but nothing impactfull, just error rendering alert.
than i see the math
feature is support with inline text by suppling us dollar $
on fron and end $
not just code block,
Steps To Reproduce:
in my testing i use two accounts,
first accounts : administrator page
second accont : attacker.
-
The administrator create project with visibility public.
than create issue page, -
on attacker tab, open the link issue that was created by first accounts. than comment with normal character to test that the page is fine.
than send comments with largemath
payloads. (the payload is available on this attachment).
after succesfully send comments, reload the page as an attacker.. (if attack succesfully the attacker can't click any button, just stuck on loading) -
The administrator open the issue page, reload the browser tab, as an administrator same as attacker can't access everything on issue page, just see the page loading continously.
Impact :
issue page can not opened by any other users.
The dministrator issues can't access option to delete, or edit issue, all option are not accesible, just delete the project to make the issue deleted.
supporting materials:
[DOS.ISSUE.PAGE.mp4] videos for proof-of-concept
[dos.txt] payloads for attack. just copying the payload than paste it on comments and send comments.
This bug happens on GitLab.com
thanks
best regards.
Impact
issue page can not opened by any other users.
The dministrator issues can't access option to delete, or edit issue, all option are not accesible, just delete the project to make the issue clear.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: