Introduction

Cross-Site Scripting (XSS) continues to be one of the most impactful web vulnerabilities even in large and mature platforms like GitLab. In this write-up we’ll explore an interesting stored XSS vulnerability discovered by security researcher kannthu in GitLab’s repository file viewer earning a $2000 bounty for their finding under report ID #1072868.

We’ll break down how the vulnerability was found, the root cause, the proof of concept (PoC), and why it posed a real security risk.

What was the vulnerability?

GitLab uses an embedded Swagger UI to display OpenAPI specifications within repository files. Unfortunately the version of Swagger UI in use was outdated and relied on an old version of DOMPurify (a popular JavaScript sanitizer library).

This older DOMPurify version didn’t properly sanitize all malicious HTML attributes leaving the application vulnerable to XSS.

This meant an attacker could upload a malicious OpenAPI file (like openapi.yaml) containing crafted payloads. When a user viewed this file via GitLab’s interface the payload would be stored and executed leading to a stored XSS.