Breaking Vercel’s Clone URL with a Simple XSS Exploit

During my exploration of Vercel’s platform, I discovered a reflected XSS vulnerability in the “clone project” functionality. This write-up explains how I identified the issue, the payloads used, and how it was resolved.

When creating a new project on Vercel by cloning from GitHub, the platform generates the following URL structure:

Here, the s parameter specifies the GitHub repository URL:

This parameter is reflected in the response as an anchor tag:

Initially, I tested for common XSS characters (<, >, ") in the s parameter, but they were properly encoded. However, by manipulating the protocol of the URL, I found a bypass.

1. Protocol Manipulation

Changing the protocol in the s parameter to test:// bypass validation. Here’s an example payload:

Response:

This demonstrated that the backend did not validate the protocol.

2. Injecting a Malicious Payload

Using the JavaScript: protocol, I crafted the following payload:

Response:

At this point, I could insert a reflected XSS payload in the anchor tag.

3. Executing the Payload

Due to the target="_blank" attribute, the malicious payload required a CTRL + Left Click (or equivalent) to trigger in modern browsers. Upon triggering, the payload is executed as intended.

Here is a screenshot demonstrating the XSS execution:

This vulnerability allowed attackers to execute arbitrary JavaScript in the context of the user’s browser. Although interaction was required, this posed a significant risk, especially if combined with social engineering.

More: