Detect GitLab SSRF Exploitation (CVE-2021-22175) in Microsoft Sentinel
Detects exploitation of CVE-2021-22175, a Server-Side Request Forgery (SSRF) vulnerability in GitLab. An attacker can craft requests that cause the GitLab server to make HTTP requests to internal or external resources, potentially exposing cloud metadata endpoints, internal services, or facilitating lateral movement. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
KQL Detection Query
union isfuzzy=true
(
AzureDiagnostics
| where Category == "ApplicationGatewayAccessLog"
| where requestUri_s matches regex @"/(import|export|hook|webhook|integrations|api/v4/projects/[0-9]+/import)"
| where httpStatus_i in (200, 302, 400, 500)
| extend TargetUrl = tostring(parse_url(requestUri_s))
| where requestUri_s contains "url=" or requestUri_s contains "remote=" or requestUri_s contains "import_url"
),
(
CommonSecurityLog
| where DeviceVendor == "GitLab" or ApplicationProtocol == "HTTP"
| where RequestURL matches regex @"/(import|hook|webhook|integrations)"
| where RequestURL contains "169.254.169.254" or RequestURL contains "metadata" or RequestURL contains "internal"
| extend SSRFIndicator = true
),
(
W3CIISLog
| where csUriStem matches regex @"/(import|hook|webhook)"
| where csUriQuery contains "url=http" or csUriQuery contains "url=https"
| extend DecodedQuery = url_decode(csUriQuery)
| where DecodedQuery contains "169.254" or DecodedQuery contains "10." or DecodedQuery contains "192.168." or DecodedQuery contains "localhost"
)
| summarize RequestCount=count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by SourceIP=coalesce(clientIp_s, SourceIP, cIP), TargetEndpoint=coalesce(requestUri_s, RequestURL, csUriStem)
| where RequestCount >= 1
| extend Severity = "High", CVE = "CVE-2021-22175"
| order by RequestCount descDetects HTTP requests to GitLab endpoints commonly targeted in SSRF exploitation (import, webhook, integrations) that contain internal IP addresses, cloud metadata endpoints, or SSRF-indicative URL parameters.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate GitLab project imports from external repositories using HTTP/HTTPS URLs
- Webhook configuration testing by developers pointing to internal test environments
- Security scanners or vulnerability assessment tools probing GitLab endpoints
- GitLab CI/CD pipelines that legitimately reference internal service URLs
Other platforms for CVE-2021-22175
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1GitLab SSRF via Project Import URL - AWS Metadata
Expected signal: Outbound HTTP GET to 169.254.169.254 from GitLab server process; network flow record showing connection to 169.254.0.0/16 from GitLab host; GitLab production.log entry with import_url containing metadata endpoint
- Test 2GitLab SSRF via Webhook Creation - Internal Service Probe
Expected signal: Network connection from GitLab server to 192.168.1.1:8500 visible in network flow data; GitLab web_hooks table entry with internal IP URL; web server access log showing webhook API POST with internal URL in body
- Test 3GitLab SSRF via Remote Mirror - Loopback File Access
Expected signal: GitLab application log entries showing file:// or gopher:// scheme in remote mirror URL; database record in remote_mirrors table with dangerous URL scheme; error log entries from GitLab attempting to process the invalid/dangerous URL
Unlock Pro Content
Get the full detection package for CVE-2021-22175 including response playbook, investigation guide, and atomic red team tests.