This article discusses the write-up on the discovery of the GitLab DOS Attack through comments on an “Issue” by a bug hunter with the username hackerone 8ayac. But before that, let’s start with the basic explanation of DOS Vulnerability.
What is Denial of Service (DoS) ?
Denial-of-service (DoS) attacks are a type of cyber attack that can be really disruptive. Essentially, attackers use multiple sources to send an overwhelming amount of traffic to a network or system, which causes it to become unable to function properly. This can cause major problems, including financial losses, harm to a company’s reputation, and the theft of important data.
The Story of GitLab DOS
A serious vulnerability has been discovered on GitLab.com that allows for a Denial-of-Service (DoS) attack affecting both server-side and client-side. This was first reported by 8ayac on May 2019 through the HackerOne platform, and he was rewarded with $1000.
The issue is related to the character limit on the issue comments, which has no maximum limit. This flaw allows an attacker to perform a DoS attack on Gitlab both server-side and client-side, by exhausting server resources. As a result, all users will be denied access to the GitLab service.
To reproduce, an attacker would need to sign in to GitLab then create a new project with README.md file and public visibility level. Once a new project is created, attacker must post comments on the issue created in the project.
Step to Reproduce Gitlab DOS
The attacker would then post a comment that includes a string of characters “/a/” repeated 50,000 times. Then attacker reload the issue page, which causes an error message to appear, stating that “something went wrong while fetching comments. Please try again.”
The attacker would then repeat this process several times to exhaust the server’s resources and launch a DoS attack on all users.
The attacker can also perform a server-side attack by continuously sending the requests generated in the client-side attack. This can be achieved with a script that sends requests to the GitLab server with the same malicious string of characters as the client-side attack.
The server’s CPU is exhausted, and users are denied access to the GitLab service.
The impact of this vulnerability is severe for both client-side and server-side attacks. On the client-side, all comments on the issue become inaccessible, and on the server-side, users are unable to access the GitLab service.
It is essential to note that all users who can comment on the issue can exploit this vulnerability.
Gitlab Announce Users to immediately update to the latest version
GitLab.com users are advised to be cautious and take necessary measures to protect themselves from this GitLab DOS vulnerability. GitLab has fixed the issue, and users should ensure that they have updated their GitLab service to the latest version to avoid any security breaches.
How to Prevent Denial of Service (DoS) Attack?
There are several ways to prevent DoS attacks:
- DDoS Mitigation: DDoS mitigation tools and services can help prevent DoS attacks by detecting and filtering out malicious traffic. These tools use various techniques such as rate limiting, IP blocking, and deep packet inspection to identify and block malicious traffic.
- Firewall Configuration: Properly configured firewalls can help prevent DoS attacks by filtering out unwanted traffic before it reaches your servers. Firewalls can be configured to block specific IP addresses or ports, limit the number of connections from a single IP address, and restrict traffic based on protocol and application.
- Content Delivery Network (CDN): A CDN can help prevent DoS attacks by distributing traffic across multiple servers and data centers, reducing the load on any one server. CDNs also use caching techniques to speed up content delivery and reduce server load.
- Server Capacity Planning: Proper server capacity planning can help prevent DoS attacks by ensuring that your servers have sufficient resources to handle expected traffic loads. This involves analyzing traffic patterns and usage trends to determine the optimal number of servers and resources needed to handle traffic.
- Regular Updates and Patching: Regularly updating and patching your systems and software can help prevent DoS attacks by fixing known vulnerabilities and weaknesses that attackers could exploit. This includes updating operating systems, web servers, and applications to their latest versions and applying security patches as soon as they become available.
- Employee Training and Awareness: Employee training and awareness can help prevent DoS attacks by educating employees on how to identify and respond to potential attacks. This includes training employees on how to recognize phishing emails, avoid clicking on suspicious links or attachments, and report any suspicious activity to IT or security teams.
Hackerone Report: here