This is a complex XSS that requires multiple steps in order to setup. It also requires you to have a good understanding of both New Relic Insights, New Relic Synthetics monitors, and the NerdGraph API explorer.
Background Context: New Relic Synthetics and the history of tags for monitors (formerly known as labels)
New Relic allows you to define specific tags associated with a Synthetics monitor. Once you create a monitor, you can add tags to the monitor itself. Back in 2018/2019 you had the ability to add tags with special characters, such as just simply: malicious"><img>"
. Fast forward to 2020, and the ability to add special characters is not possible anymoreโฆ so I had to get creative. After a bit of looking around, I realized that there is another way to add tags to a Synthetics monitor instead of just the UI: using the NerdGraph API explorer.
When you are editing an Insights dashboard, there is the option to enable filtering. Within the filtering options, you can specify event types that are related to Synthetics monitors. If you choose an event type of โSyntheticCheckโ and select an attribute that is a tag with an XSS payload, the XSS payload will fire on the page. If you save the dashboard with the filter enabled, the XSS payload will fire on any user who views the dashboard in the future as well.
Entity guid
of the monitor you created, we will need this laterENTITY_GUID
with the Entity guid of the Synthetics monitor you createdmutation {
taggingAddTagsToEntity(
guid: "ENTITY_GUID",
tags: { key: "tags.new\"><img src>