Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

GitLab - User Enumeration

By kannthu

Informative
Vidoc logoVidoc Module
#gitlab#enum#misconfig#fuzz
Description

GitLab - User Enumeration

What is "GitLab - User Enumeration?"

The "GitLab - User Enumeration" module is designed to detect user enumeration vulnerabilities in GitLab instances. GitLab is a web-based DevOps lifecycle tool that provides a Git repository manager, issue tracking, continuous integration, and more. This module focuses on identifying misconfigurations that allow an attacker to enumerate valid usernames on a GitLab instance.

This module has an informative severity level, indicating that it provides valuable information about potential vulnerabilities but does not directly exploit or compromise the system.

This module was authored by Suman_Kar.

Impact

User enumeration vulnerabilities in GitLab can expose sensitive information, such as valid usernames, which can aid attackers in launching targeted attacks, such as brute-force attacks or social engineering campaigns. By identifying these vulnerabilities, organizations can take appropriate measures to mitigate the risk of unauthorized access to their GitLab instances.

How does the module work?

The "GitLab - User Enumeration" module works by sending HTTP requests to the target GitLab instance and analyzing the responses for specific patterns. It uses the following matching conditions:

- Body Regex: The module checks if the response body contains the pattern "exists.*:true". This indicates that the requested user exists on the GitLab instance. - Status Code: The module verifies that the HTTP response status code is 200, indicating a successful request. - Header Word: The module checks if the response header contains the word "application/json". This ensures that the response is in JSON format.

By combining these matching conditions, the module can identify misconfigurations that leak information about valid usernames on the target GitLab instance.

Here is an example of an HTTP request used by the module:

GET /users/{%user%}/exists HTTP/1.1
Host: {%Hostname%}
Accept: application/json, text/plain, */*
Referer: 

The module replaces the "{%user%}" placeholder with usernames from the "helpers/wordlists/user-list.txt" wordlist file.

It's important to note that this module is part of the Vidoc platform, which utilizes multiple modules to perform comprehensive scanning and testing of web applications.

For more information, refer to the malenames-usa-top1000.txt file in the SecLists repository.

Metadata: shodan-query: http.title:"GitLab"

Module preview

Concurrent Requests (1)
1. HTTP Request template
Raw request
Matching conditions
regex: exists.*:trueand
status: 200and
word: application/json
Passive global matcher
No matching conditions.
On match action
Report vulnerability