In the example, we redirect a user to a fake source page. Note that we do not have to be on the same origin as the Redirected domain. This means that the attacker does not need to be on the same network as the target. All they need is the target user’s GitLab account. In order to exploit this issue, the attacker needs to convince a user to follow the attacker’s link. For example, an attacker could send a message in an email or via social media. For example, they could send a message to a user with the following link: https://reported-by.gitlab.com/ The attacker’s link could have a malicious payload in it, such as a file that downloads and runs malicious code on the user’s system. Or the attacker could convince the user to click on a malicious link in an article or post on social media.

Faulty Authentication: Stored Accounts

The vulnerability can be found in the GitLab logout process. If a user is unable to authenticate, they are redirected to the following page: https://reported-by.gitlab.com/login?redirect=

How to bypass the bypass-protection and access your malicious payload

There are two ways to bypass the bypass-protection and access your malicious payload.
1) The first way is to send an NNTP command in an email. For example, "X-AUTHORIZATION: blah blah blah" will bypass the protection if the user clicks on it in their email client.
2) The second way is to create a malicious website and hosting it with a different domain name.

Authentication Issues

There are many ways that this issue can be exploited. The attacker could convince the user to sign into their account using their email and password. The attacker could also introduce themselves as a member of GitLab, which would allow them to gain access if the user is logged in.

Timeline

Published on: 11/09/2022 23:15:00 UTC
Last modified on: 11/11/2022 01:55:00 UTC

References