CVE-2022-4342 Bypassed - Maintainer can leak masked webhook secrets by changing target URL of the webhook
HackerOne report #1915507 by theluci
on 2023-03-23, assigned to @ottilia_westerlund:
Report | Attachments | How To Reproduce
Report
Hello, I found that CVE-2022-4342 which was fixed in version 15.7.2 can be bypassed. And a malicious maintainer can leak masked webhook secrets by changing target URL of the webhook.
Summary
There is an option to mask parts of a webhook URL to treat it as a secret value.
https://docs.gitlab.com/ee/user/project/integrations/webhooks.html#mask-sensitive-portions-of-webhook-urls
When this feature is used any secret string in the configured URL will be masked in the UI and in any logs in the UI. The values work the same as other tokens in that they are not even accessible by the user configuring it after it is first configured. It should not be possible for the initial user or any other users to retrieve these values.
The docs states this about the secret
Sensitive portions do not get logged and are encrypted at rest in the database.
However, there is a way to leak masked webhook secrets by masking the attacker controlled server url itself. (see Steps/POC)
POC
Steps to reproduce on Gitlab.com
victim
is the owner of a project project-victim
attacker
is a maintainer in project-victim
-
victim
goes to hisproject-victim
webhook settings,https://gitlab.com/GROUP/PROJECT/-/hooks
-
victim
configures a webhook with a secret token and mask the secret token. For example, Put the URL like thishttps://example.com?token=secret-token
- Click to add a mask, add the value
secret-token
with the replacementtoken
. Click save for the webhook
-
attacker
goes toproject-victim
webhook settings,https://gitlab.com/GROUP/PROJECT/-/hooks
-
Scroll to the bottom of the page to the list of configured hooks and edit the webhook.
-
attacker
edit the url to an "attacker controlled server" (i used https://webhook.site to catch the request). Keep the token={token} part. Like this `https://WEBHOOK.SITE?token={TOKEN} and mask the URL of the attacker controlled server as shown in the image
- click save
- click test
- check your server to see that the request is sent to the new URL and containing the secret token
- attacker can remove the trace by changing the url back to the original url
Impact
Maintainers can leak secret masked values that should not be accessible after configuration.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: