Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

GitLab public snippets

By kannthu

Informative
Vidoc logoVidoc Module
#gitlab#exposure#misconfig
Description

GitLab public snippets

What is GitLab public snippets?

GitLab public snippets is a module that detects misconfigurations in GitLab instances related to the exposure of public snippets. It targets GitLab, a web-based DevOps lifecycle tool that provides a repository manager, issue tracking, continuous integration, and more.

This module has an informative severity level, meaning it provides valuable information but does not indicate a critical vulnerability.

Author: pdteam

Impact

This module helps identify instances where GitLab public snippets are exposed to unauthorized access. If misconfigured, these public snippets may contain sensitive information that could be accessed by unauthorized individuals.

How does the module work?

The GitLab public snippets module works by sending HTTP requests to specific endpoints and matching the responses against predefined conditions. It checks for the presence of the title "Snippets · Explore · GitLab" in the response, a status code of 200, and the absence of certain phrases like "No snippets found" or "Nothing here."

Example HTTP request:

GET /explore/snippets

Matching conditions:

- The response must contain the title "Snippets · Explore · GitLab" and have a status code of 200. - The response should not include the phrases "No snippets found" or "Nothing here."

Reference:

- https://gist.github.com/vysecurity/20311c29d879e0aba9dcffbe72a88b10 - https://twitter.com/intigriti/status/1375078783338876929

Metadata:

shodan-query: http.title:"GitLab"

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/explore/snippets/-/snippets
Matching conditions
word: <title>Snippets · Explore · GitLab</titl...and
status: 200and
NOT word: No snippets found, Nothing here.
Passive global matcher
No matching conditions.
On match action
Report vulnerability