Missing CSRF in System Hooks
Title: Missing CSRF in System Hooks
Scope: None
Weakness: Cross-Site Request Forgery (CSRF)
Severity: No Rating
Link: https://hackerone.com/reports/309543
Date: 2018-01-26 13:19:34 +0000
By: @sql00
Details:
Overview:##
I've found CSRF Vulnerability which allows an attacker to resend requests to multiple hooks.
Steps To Reproduce:
- Create System Hook
- Open System Hooks and Click "Test" - > "Push Events"
- Click "Edit" on this hook
- In "Recent Deliveries" click "View Details" for specific event.
- Click "Resend Request"
Resend Request:###
http://192.168.103.42/admin/hooks/3/hook_logs/116/retry
As you can see in the "Resend request" CSRF token is missing. For this reason attacker can trick user of gitlab to perform an unwanted action on a System Hook for which the user is currently authenticated.
PoC Code###
<img src="http://127.0.0.1/admin/hooks/3/hook_logs/107/retry" />
Impact
Attacker can trick user of gitlab to perform an unwanted action on a System Hook for which the user is currently authenticated.