GitLab

Discovery

• Default ports: 80, 443

• Login page: /users/sign_in

• API: /api/v4/

Version Enumeration

# In page source or footer
curl -s http://TARGET | grep 'gitlab'

# Via API (if accessible)
curl -s http://TARGET/api/v4/version

Username Enumeration

GitLab rate limits enumeration by default (config/initializers/devise.rb):

config.lock_strategy = :failed_attempts
config.maximum_attempts = 10

Registration Page Enumeration

If registration is enabled, try registering with known usernames - error if exists.

Public Repositories

Authenticated RCE (CVE-2021-22205)

Affects: GitLab CE/EE < 13.10.3, 13.9.6, 13.8.8

Import Feature RCE

Older versions allow importing malicious project files:

1. Create malicious repo with hooks

2. Import via New Project → Import

3. Hooks execute on clone/push

API Token Theft

If you have file read:

Default Paths

Authenticated RCE (CVE-2021-22205)

Affects: GitLab CE/EE < 13.10.3, < 13.9.6, < 13.8.8

ExifTool metadata parsing RCE. Works if you can register an account.

PoC: https://www.exploit-db.com/exploits/49951

Username Enumeration

Registration page also reveals if username/email exists.

CVEs