ESCALATED: Lack Of State Parameter On Github Import Project Oauth
HackerOne report #605576 by aryan2808
on 2019-06-10, assigned to jmatos_bgtvf
:
Hi Gitlab Security Team,
Summary :
Gitlab Allow Users To Import Projects From Various Company Like Github , Importing Project From Github To Gitlab Suffers From Lack Of State Parameter Which Allows Attacker To Connect His Github To Victim Gitlab Import Project Function Moreover Interesting Thing Is There Is No Option to Disconnect Github Account On This Function.
Steps To Reproduce :
-
Attacker Navigate To Create Project > Import Project > Github
URL : https://gitlab.com/import/github/new -
Attacker Authorize His Github Account Via List Your Github Function.
-
As There Is No State Parameter On Request Attacker Capture The Request And Pass That Request To Victim.
-
Upon Opening Link Attacker Github Connect To Import Function For Forever , There Is No Option to Disconnect Github Account On This Function.
HTTP Request :
GET /users/auth/-/import/github/callback?code=2d162be301039cd44cf4 HTTP/1.1
Host: gitlab.com
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3
Referer: https://github.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie:
Mitigation :
Implement The State Parameter.
Thanks,
Aryan.
Impact
Attacker Could Connect His Github Account To Import Function For Forever