**[HackerOne report #1350793](https://hackerone.com/reports/1350793)** by `cancerz` on 2021-09-24, assigned to GitLab Team: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## Report Exploiting markdown with `math` feature supplyng large value result with dos on issue page. Summary : the markdown documentation available on docs.gitlab.com ``` Math View this topic in GitLab. Math written in LaTeX syntax is rendered with KaTeX. Math written between dollar signs $ is rendered inline with the text. Math written in a code block with the language declared as math is rendered on a separate line: This math is inline $`a^2+b^2=c^2`$. This is on a separate line: ```math a^2+b^2=c^2 ``` I was trying the dos attack with basic `math` with this payload: ```math a^2+b^2=c^2+a^2+b^2=c^2+a^2+b^2=c^2 and more than 1000character. ``` but nothing impactfull, just error rendering alert. than i see the `math` feature is support with inline text by suppling us dollar `$` on fron and end `$` not just code block, Steps To Reproduce: in my testing i use two accounts, first accounts : administrator page second accont : attacker. 1. The administrator create project with visibility public. than create issue page, 2. on attacker tab, open the link issue that was created by first accounts. than comment with normal character to test that the page is fine. than send comments with large `math` payloads. (the payload is available on this attachment). after succesfully send comments, reload the page as an attacker.. (if attack succesfully the attacker can't click any button, just stuck on loading) 3. The administrator open the issue page, reload the browser tab, as an administrator same as attacker can't access everything on issue page, just see the page loading continously. Impact : *issue page can not opened by any other users.* *The dministrator issues can't access option to delete, or edit issue, all option are not accesible, just delete the project to make the issue deleted.* supporting materials: [DOS.ISSUE.PAGE.mp4] videos for proof-of-concept [dos.txt] payloads for attack. just copying the payload than paste it on comments and send comments. This bug happens on GitLab.com thanks best regards. #### Impact issue page can not opened by any other users. The dministrator issues can't access option to delete, or edit issue, all option are not accesible, just delete the project to make the issue clear. ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues