Issue any http requests when users view an openapi document and click on buttons
HackerOne report #1563383 by yvvdwf
on 2022-05-09, assigned to @kmorrison1:
Report | Attachments | How To Reproduce
Report
Summary
Hello,
The santization of a swagger openapi viewer does not exclude form
tag. Consequently attackers may introduce a form
which allows to send arbitrary POST requests to the server. PUT, DELETE, PATH requests can be achieved by setting value of_method
field.
Steps to reproduce
- In an existing project or create a new one, add a file,
openapi-form.yml
(you can change the basename but it needs to containopenapi
word and the.yml
extension is important) with the following content:
openapi: 3.0.0
info:
title: Sample API
servers:
- url: /api/v4
paths:
/users/5212593:
put:
description: Click `Try it out` then `Execute` buttons to get bounty.
operationId: api
parameters:
- name: admin
value: true
- After committing the file, view it and click on
Try it out
thenExecute
buttons. You will see a POST request to/api/v4/users/5212593
. This is an example to escalate my account as Admin.
Impact
Attackers may trick users to perform unattended actions, such as (1) add attackers to Admin or a private group, (2) add attackers' SSH key, etc.
Examples
This example is in private mode, please tell me if you cannot access: https://gitlab.com/yvvdwf/xss/-/blob/master/openapi-form.yml#/default/api
What is the current bug behavior?
The sanitization does not exclude form
tag
What is the expected correct behavior?
The form
tag should be excluded
Output of checks
This bug happens on GitLab.com
Impact
Attackers may trick users to perform unattended actions, such as (1) add attackers to Admin or a private group, (2) add attackers' SSH key, etc.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: