Skip to content

User Application can spoof the redirect url in the new trust screen

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2573481 by joaxcar on 2024-06-24, assigned to @cmaxim:

Report | Attachments | How To Reproduce

Report

Summary

This is a bit of an odd one, but as I found it I thought I could just report it.

There is a new design for OAuth permission prompts when using Gitlab.com as an OAuth provider. When registering an application, you have to add a redirect URI. This is the URL that the user will end up on with the code after accepting the requested access scope for the application.

When visiting the permission prompt gitlab will show an orange box that will inform the user what URL that is trusted

Screenshot_2024-06-25_at_00.15.00.png

The issue here is that there is a small normalization in the template haml code

domain = URI.parse([@]pre_auth.redirect_uri).host.gsub('www.', '')

As you can see, the code will first extract the host correctly and safely using a proper URI parser. But after the host is extracted www. will get stripped globally in the host. This allows an attacker to register an application with a redirect URI like this https://gwww.itlab.com that will be shown as gitlab.com in the UI

The issue here is that users are meant to trust the UI that the host is the recipient of the trust that is given. By spoofing this URL, an attacker can trick a victim into giving the attacker permission to access the victim's account.

the gitlab scope page has this out of scope line

HTML or text injection is eligible only when significant impact can be achieved with minimal user interaction

I think that this affected page is significant enough to make this a vulnerability.

Steps to reproduce

  1. Go to https://gitlab.com/oauth/applications
  2. Click add new application
  3. Fill out the form and make sure to add https://giwww.tlab.com as the redirect URL and scope api
  4. Create the app, and copy the app ID
  5. Use the ID in this link
https://gitlab.com/oauth/authorize?client_id=APP_ID&redirect_uri=https://giwww.tlab.com&response_type=code&state=adf&scope=api
  1. The UI will tell you that the redirect is to gitlab.com
  2. Click Authorize. And see that you end up on giwww.tlab.com

Screenshot_2024-06-25_at_00.04.06.png

Impact

Spoofing redirect URL can trick a victim to give trust to an untrusted attacker application

What is the current bug behavior?

the host value is altered with an unsafe replace function

What is the expected correct behavior?

the UI should be trustworthy

Output of checks

This bug happens on GitLab.com

Impact

Spoofing redirect URL can trick a victim to give trust to an untrusted attacker application

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: