Abuse GitLab webhook functionality for DoS attacks
HackerOne report #904134 by noddyn12
on 2020-06-21, assigned to @rchan-gitlab:
Hi Gitlab Team (Please view the video proof )
Video proof link:- https://drive.google.com/file/d/1_mbXy_btIqfmbnOB_aP1V7Bhjjr9U8xL/view?usp=sharing
Vulnerability name:- DOS other domain using gitlab servers(Webhook abuse)
Steps to reproduce
- Visit Gitlab.com
- Create a project
- Go to webhook option and create a webhook with domain as target.com(hackerone.com)
But in this case use burp collaborator url and save the webhook - Now click on test webhook(push event) and capture the request in burp suite
- Send it to intruder and set payload type as null payloads
- Payload size as 3000-4000 to demonstrate the risk
- Thread size as 100 to make this happen quickly
- Start the attack
- now you can see after the attack is completed , check the collaborator ,
Intruder process
There will be 4000+ request from gitlab server to victims server
Impact
Impact
- Since there is no rate limit on gitlab.com webhook function , so attackers can use this to send
lot of requests to victims server - There wouldn't have been issue if this was exploited using attackers own instance
but here it is attacked using gitlab.com
Thanks
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
Edited by Arturo Herrero