GITBOOK-4390: No subject

This commit is contained in:
CPol 2024-08-26 22:42:26 +00:00 committed by gitbook-bot
parent 6a35d4d38c
commit a70ff8a2c3
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF

View file

@ -21,7 +21,7 @@ If you are interested in **hacking career** and hack the unhackable - **we are h
{% embed url="https://www.stmcyber.com/careers" %} {% embed url="https://www.stmcyber.com/careers" %}
### Check Privileges ## Check Privileges
In Jira, **privileges can be checked** by any user, authenticated or not, through the endpoints `/rest/api/2/mypermissions` or `/rest/api/3/mypermissions`. These endpoints reveal the user's current privileges. A notable concern arises when **non-authenticated users hold privileges**, indicating a **security vulnerability** that could potentially be eligible for a **bounty**. Similarly, **unexpected privileges for authenticated users** also highlight a **vulnerability**. In Jira, **privileges can be checked** by any user, authenticated or not, through the endpoints `/rest/api/2/mypermissions` or `/rest/api/3/mypermissions`. These endpoints reveal the user's current privileges. A notable concern arises when **non-authenticated users hold privileges**, indicating a **security vulnerability** that could potentially be eligible for a **bounty**. Similarly, **unexpected privileges for authenticated users** also highlight a **vulnerability**.
@ -76,7 +76,7 @@ Example: `https://your-domain.atlassian.net/rest/api/2/mypermissions?permissions
curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true' curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'
``` ```
### Automated enumeration ## Automated enumeration
* [https://github.com/0x48piraj/Jiraffe](https://github.com/0x48piraj/Jiraffe) * [https://github.com/0x48piraj/Jiraffe](https://github.com/0x48piraj/Jiraffe)
* [https://github.com/bcoles/jira\_scan](https://github.com/bcoles/jira\_scan) * [https://github.com/bcoles/jira\_scan](https://github.com/bcoles/jira\_scan)
@ -120,6 +120,19 @@ It's possible to observe that these plugins might be vulnerable to common web vu
Once a XSS is found, in [**this github repo**](https://github.com/cyllective/XSS-Payloads/tree/main/Confluence) you can find some payloads to increase the impact of the XSS. Once a XSS is found, in [**this github repo**](https://github.com/cyllective/XSS-Payloads/tree/main/Confluence) you can find some payloads to increase the impact of the XSS.
## Backdoor Plugin
[**This post**](https://cyllective.com/blog/posts/atlassian-malicious-plugin) describes different (malicious) actions that could perform a malicious Jira plugin. You can find [**code example in this repo**](https://github.com/cyllective/malfluence).
These are some of the actions a malicious plugin could perform:
* **Hiding Plugins from Admins**: It's possible to hide the malicious plugin injecting some front-end javascript
* **Exfiltrating Attachments and Pages**: Allow to access and exfiltrate all the data.
* **Stealing Session Tokens**: Add an endpoint that will echo the headers in the response (with the cookie) and some javascript that will contact it and leak the cookies.
* **Command Execution**: Ofc it's possible to create a plugin that will execute code.
* **Reverse Shell**: Or get a reverse shell.
* **DOM Proxying**: If the confluence is inside a private network, it would be possible to establish a connection through the browser of some user with access to it and for example contact the server command executing through it.
<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>