Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #223681
Closed
Open
Issue created Jun 22, 2020 by GitLab SecurityBot@gitlab-securitybotReporter

Abuse GitLab webhook functionality for DoS attacks

HackerOne report #904134 by noddyn12 on 2020-06-21, assigned to @rchan-gitlab:

Hi Gitlab Team (Please view the video proof )

Video proof link:- https://drive.google.com/file/d/1_mbXy_btIqfmbnOB_aP1V7Bhjjr9U8xL/view?usp=sharing

Vulnerability name:- DOS other domain using gitlab servers(Webhook abuse)

Steps to reproduce

  1. Visit Gitlab.com
  2. Create a project
  3. Go to webhook option and create a webhook with domain as target.com(hackerone.com)
    But in this case use burp collaborator url and save the webhook
  4. Now click on test webhook(push event) and capture the request in burp suite
  5. Send it to intruder and set payload type as null payloads
  6. Payload size as 3000-4000 to demonstrate the risk
  7. Thread size as 100 to make this happen quickly
  8. Start the attack
  9. now you can see after the attack is completed , check the collaborator ,
    Intruder process
    Screenshot_2020-06-21_at_12.57.42_PM.png

There will be 4000+ request from gitlab server to victims server
Screenshot_2020-06-21_at_12.47.13_PM.png

Impact

Impact

  1. Since there is no rate limit on gitlab.com webhook function , so attackers can use this to send
    lot of requests to victims server
  2. There wouldn't have been issue if this was exploited using attackers own instance
    but here it is attacked using gitlab.com

Thanks

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • Screenshot_2020-06-21_at_12.47.13_PM.png
  • Screenshot_2020-06-21_at_12.57.42_PM.png
Edited Aug 17, 2020 by Arturo Herrero
Assignee
Assign to
Time tracking