Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #26695
Closed
Open
Issue created Feb 12, 2019 by GitLab SecurityBot@gitlab-securitybotReporter

Ability to add your scopes to the app + text injection in OAuth

HackerOne report #494530 by executor on 2019-02-11, assigned to dappelt:

Hello again! Found that in applications (https://gitlab.com/profile/applications) the scope that we pass in the request when creating and editing the application is not checked. It turns out that we can pass your scope, with its text. I decided to try it and I did it!
Screenshot_1.png
But it didn't give any strong result..
Then I got the idea, and what if the scope to write the text that it was displayed OAuth authorization
The first problem I encountered was a problem. Any space between the two words shared a single scope on several scopes.
The solution to this problem came almost immediately, I decided to try to replace the space with another space (alt+255 on numpad keyboard)
Screenshot_2.png
Request

POST /oauth/applications HTTP/1.1  
Host: gitlab.com  
Cache-Control: max-age=0  
Origin: https://gitlab.com  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 OPR/57.0.3098.116  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8  
Referer: https://gitlab.com/profile/applications  
Accept-Encoding: gzip, deflate, br  
Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7  
Cookie: _gitlab_session=session;   
Content-Length: 967  
Content-Type: application/x-www-form-urlencoded  
Connection: keep-alive

utf8=%E2%9C%93&authenticity_token=token&doorkeeper_application%5Bname%5D=govon&doorkeeper_application%5Bredirect_uri%5D=http%3A%2F%2Flocalhost&doorkeeper_application%5Bscopes%5D%5B%5D=api&doorkeeper_application%5Bscopes%5D%5B%5D=read_user&doorkeeper_application%5Bscopes%5D%5B%5D=sudo&doorkeeper_application%5Bscopes%5D%5B%5D=read_repository&doorkeeper_application%5Bscopes%5D%5B%5D=read_registry&doorkeeper_application%5Bscopes%5D%5B%5D=After%C2%A0clicking%C2%A0on%C2%A0the%C2%A0%22Authorize%22%C2%A0you%C2%A0will%C2%A0receive%C2%A0a%C2%A0gold%C2%A0tariff&doorkeeper_application%5Bscopes%5D%5B%5D=You%C2%A0will%C2%A0receive%C2%A0the%C2%A0tariff%C2%A0only%C2%A0after%C2%A0clicking%C2%A0on%C2%A0the%C2%A0%22authorize%22&doorkeeper_application%5Bscopes%5D%5B%5D=All%C2%A0rights%C2%A0that%C2%A0you%C2%A0have%C2%A0requested%C2%A0will%C2%A0not%C2%A0be%C2%A0used%C2%A0after%C2%  

Then I decided to check all this on OAuth authorization

Screenshot_3.png

Everything works fine, as seen in the screenshot.

Proof of Concept

ATTENTION: This PoC is a real app that will get your GitLab API token if you click Authorize. If you open it, either close the window or click Deny.

https://goo.gl/8qTxRE

Impact

Inattentive user can read only the bottom lines and lead to phishing. As a result, we will have a victim token.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • Screenshot_1.png
  • Screenshot_2.png
  • Screenshot_3.png
Edited Aug 31, 2021 by Sam Kerr
Assignee
Assign to
Time tracking