Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneSadd_manH1:978768
HistorySep 10, 2020 - 10:21 p.m.

GitLab: Adding everyone to the repo due to the lack of rate limit

2020-09-1022:21:21
sadd_man
hackerone.com
105
JSON

Summary

Since there is no rate limit in the inviting users to the repository section, it is possible to add all users on gitlab to a repository.

Steps to reproduce

(Step-by-step guide to reproduce the issue, including:)

  1. Create a repository
  2. go to the project members section
  3. choose a random user
  4. before clicking the invite button, we need to capture the request with the burp suite…
  5. ███████
  6. Send it to the Intruder module, specify the █████ field here between 1 and 7006996 and send the request.

Impact

It is possible to collect all users on Gitlab in a single repository, so users’ mailboxes will be filled with notifications.

Note

Because the rate limit is out of scope, I tested it and I could not stop the python script, and there were users affected.

Impact

It is possible to collect all users on Gitlab in a single repository, so users’ mailboxes will be filled with notifications.

JSON