GitLab: Stored XSS in merge request pages

2018-09-13T10:56:07
ID H1:409380
Type hackerone
Reporter 8ayac
Modified 2018-12-03T22:15:49

Description

Summary: I found a Stored XSS in merge request pages.

Description: The exploit is via the parameter merge_request[source_branch] of the request to create a New Merge Request.

Steps To Reproduce:

  1. Sign ikn to GitLab.
  2. Click the "[+]" icon.
  3. Click "New Project".
  4. Fill out "Project name" form with "test-project".
  5. Check the radio button of "Public".
  6. Check the "Initialize repository with a README".
  7. Click "Create project" button.
  8. Go to "http(s)://{GitLab host}/{user id}/test-project/branches/new".
  9. Fill out each form as follows:
  10. Branch name: test-branch
  11. Create from: master
  12. Click "Create branch" button.
  13. Go to "http://{GitLab host}/{user id}/test-project/merge_requests".
  14. Click "Create merge request" button.
  15. Click "Submit merge request" button.
  16. Intercept the request.
  17. Change the merge_request[source_branch] parameter's value to <img/src=x onerror=alert(1)>
  18. Send the request.

Result: poc.png

Note: This behavior can be reproduced on all modern browsers.

Impact

The security impact is the same as any typical Stored XSS.

Thank you.