A recent investigation discovered a critical cross-site scripting (XSS) vulnerability in GitLab.
Involved the injection of malicious code via the clipboard, exploiting the DOM through unsanitised markdown fields.
This client-side attack, known as clipboard DOM-based XSS, can evade traditional security measures and execute arbitrary JavaScript under a user’s credentials.
The clipboard’s text/x-gfm-html MIME type was the culprit, enabling harmful payloads to be injected into markdown text fields.
The potential impact of this vulnerability includes unauthorized access, session hijacking, and the defacement of user interfaces.
The research paper provides explanations of the underlying technical causes, along with pamphlets for developers to help mitigate such variants in the future.
This is a member-only story, to read more sign up to free or pro membership to reach the full article.