Github Desktop - DOM XSS

I’ve always enjoyed “unusual” vulnerabilities, either bugs that you never knew were exploitable, or just funny quirks which lead to a vulnerability.

My recent finding within the Github Desktop for OSX ticked a few of those boxes, allowing me to trigger cross-site scripting in a desktop application.

The vulnerability is present due to the use of the Chromium Embedded Framework, which is used by the comparison graph you see at the top of the window. For exploitation purposes, this works like a sandboxed browser, rendering HTML and executing JavaScript provided.

To find the source of the vulnerability, we take a copy of the JavaScript used to render the comparison graph, which can be found within /Applications/GitHub Desktop/Contents/Resources/comparison-graph/scripts.js.

Reviewing the source for DOM XSS, we find a few candidates. I focused on the following for the purposes of the POC:

pull = $('<div class="commit latest synced merge pr comparison" data-branch="' + this.branch.name + '"></div>').prependTo(this.commitsContainer);

As we control the ‘this.branch.name’ property, we can set a branch name with the following:

git branch 'aa"><iframe/src=""/onload="document.body.innerHTML=prompt(/xss/)"><div/a="'

Then all is left to do hit the request button fire our javascript.

Again full credit github on turnaround of this issue. Liaising with their infosec team to help remediate and retest issue was very quick and responsive.