**[HackerOne report #904134](https://hackerone.com/reports/904134)** by `noddyn12` on 2020-06-21, assigned to @rchan-gitlab: Hi Gitlab Team (Please view the video proof ) Video proof link:- https://drive.google.com/file/d/1_mbXy_btIqfmbnOB_aP1V7Bhjjr9U8xL/view?usp=sharing **Vulnerability name**:- DOS other domain using gitlab servers(Webhook abuse) **Steps to reproduce** 1. Visit Gitlab.com 2. Create a project 3. Go to webhook option and create a webhook with domain as target.com(hackerone.com) But in this case use burp collaborator url and save the webhook 4. Now click on test webhook(push event) and capture the request in burp suite 5. Send it to intruder and set payload type as null payloads 6. Payload size as 3000-4000 to demonstrate the risk 7. Thread size as 100 to make this happen quickly 8. Start the attack 9. now you can see after the attack is completed , check the collaborator , Intruder process  There will be 4000+ request from gitlab server to victims server  ## Impact **Impact** 1. Since there is no rate limit on gitlab.com webhook function , so attackers can use this to send lot of requests to victims server 2. There wouldn't have been issue if this was exploited using attackers own instance but here it is attacked using gitlab.com Thanks ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [Screenshot_2020-06-21_at_12.47.13_PM.png](https://h1.sec.gitlab.net/a/9b3ff70b-1268-4d8b-9932-3d43bf37c199/Screenshot_2020-06-21_at_12.47.13_PM.png) * [Screenshot_2020-06-21_at_12.57.42_PM.png](https://h1.sec.gitlab.net/a/e5978fcc-2859-41ce-9276-2b749094345c/Screenshot_2020-06-21_at_12.57.42_PM.png)