GitLab Default Login Scanner

GitLab is a DevOps lifecycle tool that provides a Git repository manager with features such as issue tracking, continuous integration, and deployment. Many organizations choose to self-host GitLab for greater control over their repositories and data security. However, self-hosted instances, if not secured, may be susceptible to brute-force attacks, particularly credential stuffing.

This vulnerability focuses on detecting valid login attempts on self-hosted GitLab instances, specifically to identify possible credential stuffing risks. Credential stuffing is a brute-force attack technique where attackers use stolen usernames and passwords to gain unauthorized access to accounts. This detection checks if successful logins are possible, which could indicate insufficient login protection and vulnerability to credential stuffing.

Technically, the vulnerability is detected by simulating login attempts to GitLab’s `/users/sign_in` endpoint using a POST request with various username-password pairs. The scanner verifies successful login attempts based on specific response patterns, such as a 302 redirection and the absence of the phrase `"invalid login"` in the response body. Identifying successful login attempts indicates that the login endpoint might not be adequately secured.

Exploiting this vulnerability could allow attackers unauthorized access to GitLab repositories, configurations, and other sensitive information. Attackers could gain insights into code, deployment settings, and user data, making it critical to secure GitLab login configurations.

REFERENCES

• https://owasp.org/www-community/attacks/Credential_stuffing