id: gitlab-saml

info:
  name: Gitlab SAML - Detection
  author: rootxharsh,iamnoooob,pdresearch
  severity: info
  description: |
    The presence of SAML-based authentication on GitLab instances. SAML is commonly used for Single Sign-On (SSO) integrations, which allows users to authenticate with GitLab using an external Identity Provider (IdP).
  metadata:
    verified: true
    max-request: 1
    vendor: gitlab
    product: gitlab
    shodan-query:
      - http.title:"gitlab"
      - cpe:"cpe:2.3:a:gitlab:gitlab"
      - http.html:"gitlab enterprise edition"
    fofa-query:
      - body="gitlab enterprise edition"
      - title="gitlab"
    google-query: intitle:"gitlab"
  tags: panel,saml,gitlab

http:
  - raw:
      - |
        GET /users/auth/saml/metadata HTTP/2
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "EntityDescriptor"
          - "SAML"
        condition: and

      - type: word
        part: content_type
        words:
          - "application/xml"

      - type: status
        status:
          - 200
# digest: 490a00463044022052445983c4e9e4213a88b5a86572da1d915f2c6a36fa1796a320da8b4972d13a02203e7f3210bc742d72df0f6d29e57b885decea8ce96f0fe09d9ff468fbac19a67f:922c64590222798bb761d5b6d8e72950