I’ve always enjoyed “unusual” vulnerabilities, either bugs that you never knew were exploitable, or just funny quirks which lead to a vulnerability.
My recent finding within the Github Desktop for OSX ticked a few of those boxes, allowing me to trigger cross-site scripting in a desktop application.
Reviewing the source for DOM XSS, we find a few candidates. I focused on the following for the purposes of the POC:
pull = $('<div class="commit latest synced merge pr comparison" data-branch="' + this.branch.name + '"></div>').prependTo(this.commitsContainer);
As we control the ‘this.branch.name’ property, we can set a branch name with the following:
git branch 'aa"><iframe/src=""/onload="document.body.innerHTML=prompt(/xss/)"><div/a="'
Again full credit github on turnaround of this issue. Liaising with their infosec team to help remediate and retest issue was very quick and responsive.