hacktricks/pentesting/pentesting-web/jira.md

# JIRA

### Check Privileges

Inside a Jira instance **any user** \(even **non-authenticated**\) can **check its privileges** in `/rest/api/2/mypermissions` or `/rest/api/3/mypermissions` . These endpoints will return your current privileges.  
If a **non-authenticated** user have any **privilege**, this is a **vulnerability** \(bounty?\).  
If an **authenticated** user have any **unexpected privilege**, this a a **vuln**.

```bash
#Check non-authenticated privileges
curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'
```

### Automated enumeration

* [https://github.com/0x48piraj/Jiraffe](https://github.com/0x48piraj/Jiraffe)
* [https://github.com/bcoles/jira\_scan](https://github.com/bcoles/jira_scan)
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`# JIRA`

			`### Check Privileges`

			Inside a Jira instance any user \(even non-authenticated\) can check its privileges in `/rest/api/2/mypermissions` or `/rest/api/3/mypermissions` . These endpoints will return your current privileges.
			`If a non-authenticated user have any privilege, this is a vulnerability \(bounty?\).`
			`If an authenticated user have any unexpected privilege, this a a vuln.`

			```bash
			`#Check non-authenticated privileges`
			`curl https://jira.some.example.com/rest/api/2/mypermissions \| jq \| grep -iB6 '"havePermission": true'`
			```

GitBook: [master] one page modified 2021-07-26 11:23:34 +00:00			`### Automated enumeration`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] one page modified 2021-07-26 11:23:34 +00:00			`* [https://github.com/0x48piraj/Jiraffe](https://github.com/0x48piraj/Jiraffe)`
			`* [https://github.com/bcoles/jira\_scan](https://github.com/bcoles/jira_scan)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00