Subdomain takeover in Gitlab pages
HackerOne report #2523654 by fdeleite on 2024-05-28, assigned to GitLab Team:
Report | Attachments | How To Reproduce
Report
Summary
It's possible for an attacker to take over a dangling custom domain pointing to GitLabPages using `instanceX.gitlab.io'
The problems arises when adding a custom domain to Gitlab Pages, without the domain being verified it still servers content (allowing 7 days before disabling it)
Steps to reproduce
I did some tests with gitlab.com domains, docs-dev.gitlab.com worked correctly.
The domain has the following fingerprints:
Dig
docs-dev.gitlab.com. 300 IN CNAME gitlab-com.gitlab.io.
gitlab-com.gitlab.io. 300 IN A 35.185.44.232 And going to the URL shows:
HTTP/1.1 302 Found
content-type: text/html; charset=utf-8
location: https://projects.staging.gitlab.io/auth?domain=http://docs-dev.gitlab.com&state=giZFQTsOOFXvR_0po68zrg==
permissions-policy: interest-cohort=()
set-cookie: gitlab-pages=..._; Path=/auth; Expires=Tue, 28 May 2024 21:07:33 GMT; Max-Age=600; HttpOnly
vary: Origin
date: Tue, 28 May 2024 20:57:33 GMT
gitlab-lb: haproxy-pages-01-lb-gstg
gitlab-sv: pages-us-east1-c
HTTP/2 401
content-type: text/html; charset=utf-8
permissions-policy: interest-cohort=()
vary: Origin
x-content-type-options: nosniff
content-length: 2872
date: Tue, 28 May 2024 20:57:34 GMT
- Create a GitLab pages using this project (https://gitlab.com/g15391522/pn1)
- Go to Deploy -> ** Pages **
- Disable
Force HTTPS (requires valid certificates) - Add the target custom domain and click in Save
Go to http://docs-dev.gitlab.com/
Now the content of the site will be :
Impact
They could perform several attacks like:
- Cookie Stealing
- Phishing campaigns.
- Bypass Content-Security Policies and CORS.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: