Skip to content

Missing CSRF in System Hooks

Title:         Missing CSRF in System Hooks
Scope:         None
Weakness:      Cross-Site Request Forgery (CSRF)
Severity:      No Rating
Link:          https://hackerone.com/reports/309543
Date:          2018-01-26 13:19:34 +0000
By:            @sql00

Details:

Overview:##

I've found CSRF Vulnerability which allows an attacker to resend requests to multiple hooks.

Steps To Reproduce:

  1. Create System Hook
  2. Open System Hooks and Click "Test" - > "Push Events"
  3. Click "Edit" on this hook
  4. In "Recent Deliveries" click "View Details" for specific event.
  5. Click "Resend Request"

Resend Request:###

http://192.168.103.42/admin/hooks/3/hook_logs/116/retry

As you can see in the "Resend request" CSRF token is missing. For this reason attacker can trick user of gitlab to perform an unwanted action on a System Hook for which the user is currently authenticated.

PoC Code###

<img src="http://127.0.0.1/admin/hooks/3/hook_logs/107/retry" />

Impact

Attacker can trick user of gitlab to perform an unwanted action on a System Hook for which the user is currently authenticated.