Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-24 13:43:24 +00:00
Code Issues Projects Releases Packages Wiki Activity

GITBOOK-4390: No subject

Browse source
This commit is contained in:
CPol 2024-08-26 22:42:26 +00:00 committed by gitbook-bot
parent 6a35d4d38c
commit a70ff8a2c3
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
1 changed files with 15 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
network-services-pentesting/pentesting-web/jira.md
View file

@ -21,7 +21,7 @@ If you are interested in **hacking career** and hack the unhackable - **we are h
{% embed url="https://www.stmcyber.com/careers" %}
### Check Privileges
## Check Privileges
In Jira, **privileges can be checked** by any user, authenticated or not, through the endpoints `/rest/api/2/mypermissions` or `/rest/api/3/mypermissions`. These endpoints reveal the user's current privileges. A notable concern arises when **non-authenticated users hold privileges**, indicating a **security vulnerability** that could potentially be eligible for a **bounty**. Similarly, **unexpected privileges for authenticated users** also highlight a **vulnerability**.
@ -76,7 +76,7 @@ Example: `https://your-domain.atlassian.net/rest/api/2/mypermissions?permissions
curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'
```
### Automated enumeration
## Automated enumeration
* [https://github.com/0x48piraj/Jiraffe](https://github.com/0x48piraj/Jiraffe)
* [https://github.com/bcoles/jira\_scan](https://github.com/bcoles/jira\_scan)
@ -120,6 +120,19 @@ It's possible to observe that these plugins might be vulnerable to common web vu
Once a XSS is found, in [**this github repo**](https://github.com/cyllective/XSS-Payloads/tree/main/Confluence) you can find some payloads to increase the impact of the XSS.
## Backdoor Plugin
[**This post**](https://cyllective.com/blog/posts/atlassian-malicious-plugin) describes different (malicious) actions that could perform a malicious Jira plugin. You can find [**code example in this repo**](https://github.com/cyllective/malfluence).
These are some of the actions a malicious plugin could perform:
* **Hiding Plugins from Admins**: It's possible to hide the malicious plugin injecting some front-end javascript
* **Exfiltrating Attachments and Pages**: Allow to access and exfiltrate all the data.
* **Stealing Session Tokens**: Add an endpoint that will echo the headers in the response (with the cookie) and some javascript that will contact it and leak the cookies.
* **Command Execution**: Ofc it's possible to create a plugin that will execute code.
* **Reverse Shell**: Or get a reverse shell.
* **DOM Proxying**: If the confluence is inside a private network, it would be possible to establish a connection through the browser of some user with access to it and for example contact the server command executing through it.
<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>