Open in app

Sign up

Sign in

Write

Sign up

Sign in

Home

Following

Library

Stories

Stats

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

How a line of code resulted in a $20,000 bug bounty from GitLab

The hidden dangers of numerical IDs

Roberto
InfoSec Write-ups
Published in
4 min readJul 31, 2022

--

Summary

Web applications have so many different objects, and it’s important to be able to uniquely identify all of these through the use of primary keys. We typically consider numerical IDs to be a good identifier; for example, we could use unique 10-digit number for each user. However, using deterministic IDs can often result in a common vulnerability insecure direct object references (IDOR). In this type of vulnerability, the web app fails to check if the attacker (let’s say user 1111) should be able to view/edit the resources of a victim (let’s say user 2222).

Usually, these vulnerabilities are not in extremely obvious places; most apps try to take IDORs into account, and you probably won’t be able to delete another user’s account from yours using IDORs. But, in places that can be overlooked, or might seem unnecessary to have an access check, there can lie hidden dangers. This is exactly what happen to GitLab when HackerOne user saltyyolk found a critical IDOR bug, resulting in a $20,000 bug bounty.

AI-Generated Image “floating numbers illustration” at craiyon.com

The Exploit

I will be going over saltyyolk’s summary and report provided at HackerOne. Please read the original summary for an in-depth technical analysis.

GitLab is a DevOps platform that is very similar to GitHub, but it tends to be more geared for enterprise use. In GitLab, users have the ability to create projects, but in the case users already have an existing project, they also can import one.

In this feature, users most likely would be importing an exported version of a different GitLab project. Within this export, there is a project.json file that provides the project data. In this JSON file, there is an array of values called issues which contained all the IDs of GitLab Issues, which serve as an important piece of GitLab’s project planning, related to the project.

In saltyyoke’s exploit, the issues array was left blank, and the issue_ids array was added with IDs of issues that the attacker would want to steal. Because the IDs were numerical, one would theoretically be able to steal all the issues they could want. Note: the original PoC created by saltyyoke can be

--

--

InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

57K Followers
Last published just now

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
Roberto
Roberto
Follow

Written by Roberto

838 Followers
15 Following

Stanford alum, Software Engineer with a passion for CyberSec, Biotech, and Sustainability. Work with me at https://www.tidallabs.io/.

Follow

No responses yet

Write a response

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech