New Relic: Stored XSS via malicious key value of Synthetics monitor tag when visiting an Insights dashboard with filtering enabled

Introduction & Context

This is a complex XSS that requires multiple steps in order to setup. It also requires you to have a good understanding of both New Relic Insights, New Relic Synthetics monitors, and the NerdGraph API explorer.

Background Context: New Relic Synthetics and the history of tags for monitors (formerly known as labels)
New Relic allows you to define specific tags associated with a Synthetics monitor. Once you create a monitor, you can add tags to the monitor itself. Back in 2018/2019 you had the ability to add tags with special characters, such as just simply: malicious"&gt;<img>". Fast forward to 2020, and the ability to add special characters is not possible anymore… so I had to get creative. After a bit of looking around, I realized that there is another way to add tags to a Synthetics monitor instead of just the UI: using the NerdGraph API explorer.

The Vulnerability

When you are editing an Insights dashboard, there is the option to enable filtering. Within the filtering options, you can specify event types that are related to Synthetics monitors. If you choose an event type of “SyntheticCheck” and select an attribute that is a tag with an XSS payload, the XSS payload will fire on the page. If you save the dashboard with the filter enabled, the XSS payload will fire on any user who views the dashboard in the future as well.

Steps to Reproduce

1. Create a new Synthetics monitor, write down the Entity guid of the monitor you created, we will need this later
2. Navigate to NerdGraph API
3. If you haven’t already, create an API key
4. Run the following query, replacing ENTITY_GUID with the Entity guid of the Synthetics monitor you created

mutation {
    taggingAddTagsToEntity(
        guid: "ENTITY_GUID",
        tags: { key: "tags.new\"&gt;<img src>