mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-24 21:53:54 +00:00
GITBOOK-4390: No subject
This commit is contained in:
parent
6a35d4d38c
commit
a70ff8a2c3
1 changed files with 15 additions and 2 deletions
|
@ -21,7 +21,7 @@ If you are interested in **hacking career** and hack the unhackable - **we are h
|
||||||
|
|
||||||
{% embed url="https://www.stmcyber.com/careers" %}
|
{% embed url="https://www.stmcyber.com/careers" %}
|
||||||
|
|
||||||
### Check Privileges
|
## Check Privileges
|
||||||
|
|
||||||
In Jira, **privileges can be checked** by any user, authenticated or not, through the endpoints `/rest/api/2/mypermissions` or `/rest/api/3/mypermissions`. These endpoints reveal the user's current privileges. A notable concern arises when **non-authenticated users hold privileges**, indicating a **security vulnerability** that could potentially be eligible for a **bounty**. Similarly, **unexpected privileges for authenticated users** also highlight a **vulnerability**.
|
In Jira, **privileges can be checked** by any user, authenticated or not, through the endpoints `/rest/api/2/mypermissions` or `/rest/api/3/mypermissions`. These endpoints reveal the user's current privileges. A notable concern arises when **non-authenticated users hold privileges**, indicating a **security vulnerability** that could potentially be eligible for a **bounty**. Similarly, **unexpected privileges for authenticated users** also highlight a **vulnerability**.
|
||||||
|
|
||||||
|
@ -76,7 +76,7 @@ Example: `https://your-domain.atlassian.net/rest/api/2/mypermissions?permissions
|
||||||
curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'
|
curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'
|
||||||
```
|
```
|
||||||
|
|
||||||
### Automated enumeration
|
## Automated enumeration
|
||||||
|
|
||||||
* [https://github.com/0x48piraj/Jiraffe](https://github.com/0x48piraj/Jiraffe)
|
* [https://github.com/0x48piraj/Jiraffe](https://github.com/0x48piraj/Jiraffe)
|
||||||
* [https://github.com/bcoles/jira\_scan](https://github.com/bcoles/jira\_scan)
|
* [https://github.com/bcoles/jira\_scan](https://github.com/bcoles/jira\_scan)
|
||||||
|
@ -120,6 +120,19 @@ It's possible to observe that these plugins might be vulnerable to common web vu
|
||||||
|
|
||||||
Once a XSS is found, in [**this github repo**](https://github.com/cyllective/XSS-Payloads/tree/main/Confluence) you can find some payloads to increase the impact of the XSS.
|
Once a XSS is found, in [**this github repo**](https://github.com/cyllective/XSS-Payloads/tree/main/Confluence) you can find some payloads to increase the impact of the XSS.
|
||||||
|
|
||||||
|
## Backdoor Plugin
|
||||||
|
|
||||||
|
[**This post**](https://cyllective.com/blog/posts/atlassian-malicious-plugin) describes different (malicious) actions that could perform a malicious Jira plugin. You can find [**code example in this repo**](https://github.com/cyllective/malfluence).
|
||||||
|
|
||||||
|
These are some of the actions a malicious plugin could perform:
|
||||||
|
|
||||||
|
* **Hiding Plugins from Admins**: It's possible to hide the malicious plugin injecting some front-end javascript
|
||||||
|
* **Exfiltrating Attachments and Pages**: Allow to access and exfiltrate all the data.
|
||||||
|
* **Stealing Session Tokens**: Add an endpoint that will echo the headers in the response (with the cookie) and some javascript that will contact it and leak the cookies.
|
||||||
|
* **Command Execution**: Ofc it's possible to create a plugin that will execute code.
|
||||||
|
* **Reverse Shell**: Or get a reverse shell.
|
||||||
|
* **DOM Proxying**: If the confluence is inside a private network, it would be possible to establish a connection through the browser of some user with access to it and for example contact the server command executing through it.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
Loading…
Reference in a new issue