Abuse GitLab webhook functionality for DoS attacks

HackerOne report #904134 by noddyn12 on 2020-06-21, assigned to @rchan-gitlab:

Hi Gitlab Team (Please view the video proof )

Video proof link:- https://drive.google.com/file/d/1_mbXy_btIqfmbnOB_aP1V7Bhjjr9U8xL/view?usp=sharing

Vulnerability name:- DOS other domain using gitlab servers(Webhook abuse)

Steps to reproduce

1. Visit Gitlab.com
2. Create a project
3. Go to webhook option and create a webhook with domain as target.com(hackerone.com)
   But in this case use burp collaborator url and save the webhook
4. Now click on test webhook(push event) and capture the request in burp suite
5. Send it to intruder and set payload type as null payloads
6. Payload size as 3000-4000 to demonstrate the risk
7. Thread size as 100 to make this happen quickly
8. Start the attack
9. now you can see after the attack is completed , check the collaborator ,
   Intruder process
   

There will be 4000+ request from gitlab server to victims server

Impact

Impact

1. Since there is no rate limit on gitlab.com webhook function , so attackers can use this to send
   lot of requests to victims server
2. There wouldn't have been issue if this was exploited using attackers own instance
   but here it is attacked using gitlab.com

Thanks

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_2020-06-21_at_12.47.13_PM.png
• Screenshot_2020-06-21_at_12.57.42_PM.png