# Jira & Confluence {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). {% embed url="https://www.stmcyber.com/careers" %} ## Check Privileges In Jira, **privileges can be checked** by any user, authenticated or not, through the endpoints `/rest/api/2/mypermissions` or `/rest/api/3/mypermissions`. These endpoints reveal the user's current privileges. A notable concern arises when **non-authenticated users hold privileges**, indicating a **security vulnerability** that could potentially be eligible for a **bounty**. Similarly, **unexpected privileges for authenticated users** also highlight a **vulnerability**. An important **update** was made on **1st February 2019**, requiring the 'mypermissions' endpoint to include a **'permission' parameter**. This requirement aims to **enhance security** by specifying the privileges being queried: [check it here](https://developer.atlassian.com/cloud/jira/platform/change-notice-get-my-permissions-requires-permissions-query-parameter/#change-notice---get-my-permissions-resource-will-require-a-permissions-query-parameter) * ADD\_COMMENTS * ADMINISTER * ADMINISTER\_PROJECTS * ASSIGNABLE\_USER * ASSIGN\_ISSUES * BROWSE\_PROJECTS * BULK\_CHANGE * CLOSE\_ISSUES * CREATE\_ATTACHMENTS * CREATE\_ISSUES * CREATE\_PROJECT * CREATE\_SHARED\_OBJECTS * DELETE\_ALL\_ATTACHMENTS * DELETE\_ALL\_COMMENTS * DELETE\_ALL\_WORKLOGS * DELETE\_ISSUES * DELETE\_OWN\_ATTACHMENTS * DELETE\_OWN\_COMMENTS * DELETE\_OWN\_WORKLOGS * EDIT\_ALL\_COMMENTS * EDIT\_ALL\_WORKLOGS * EDIT\_ISSUES * EDIT\_OWN\_COMMENTS * EDIT\_OWN\_WORKLOGS * LINK\_ISSUES * MANAGE\_GROUP\_FILTER\_SUBSCRIPTIONS * MANAGE\_SPRINTS\_PERMISSION * MANAGE\_WATCHERS * MODIFY\_REPORTER * MOVE\_ISSUES * RESOLVE\_ISSUES * SCHEDULE\_ISSUES * SET\_ISSUE\_SECURITY * SYSTEM\_ADMIN * TRANSITION\_ISSUES * USER\_PICKER * VIEW\_AGGREGATED\_DATA * VIEW\_DEV\_TOOLS * VIEW\_READONLY\_WORKFLOW * VIEW\_VOTERS\_AND\_WATCHERS * WORK\_ON\_ISSUES Example: `https://your-domain.atlassian.net/rest/api/2/mypermissions?permissions=BROWSE_PROJECTS,CREATE_ISSUES,ADMINISTER_PROJECTS` ```bash #Check non-authenticated privileges curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true' ``` ## Automated enumeration * [https://github.com/0x48piraj/Jiraffe](https://github.com/0x48piraj/Jiraffe) * [https://github.com/bcoles/jira\_scan](https://github.com/bcoles/jira_scan) ## Atlasian Plugins As indicated in this [**blog**](https://cyllective.com/blog/posts/atlassian-audit-plugins), in the documentation about [Plugin modules ↗](https://developer.atlassian.com/server/framework/atlassian-sdk/plugin-modules/) it's possible to check the different types of plugins, like: * [REST Plugin Module ↗](https://developer.atlassian.com/server/framework/atlassian-sdk/rest-plugin-module): Expose RESTful API endpoints * [Servlet Plugin Module ↗](https://developer.atlassian.com/server/framework/atlassian-sdk/servlet-plugin-module/): Deploy Java servlets as part of a plugin * [Macro Plugin Module ↗](https://developer.atlassian.com/server/confluence/macro-module/): Implement Confluence Macros, i.e. parameterised HTML templates This is an example of the macro plugin type: ```java package com.atlassian.tutorial.macro; import com.atlassian.confluence.content.render.xhtml.ConversionContext; import com.atlassian.confluence.macro.Macro; import com.atlassian.confluence.macro.MacroExecutionException; import java.util.Map; public class helloworld implements Macro { public String execute(Map map, String body, ConversionContext conversionContext) throws MacroExecutionException { if (map.get("Name") != null) { return ("

Hello " + map.get("Name") + "!

"); } else { return "

Hello World!

"; } } public BodyType getBodyType() { return BodyType.NONE; } public OutputType getOutputType() { return OutputType.BLOCK; } } ``` It's possible to observe that these plugins might be vulnerable to common web vulnerabilities like XSS. For example the previous example is vulnerable because it's reflecting data given by the user. Once a XSS is found, in [**this github repo**](https://github.com/cyllective/XSS-Payloads/tree/main/Confluence) you can find some payloads to increase the impact of the XSS. ## Backdoor Plugin [**This post**](https://cyllective.com/blog/posts/atlassian-malicious-plugin) describes different (malicious) actions that could perform a malicious Jira plugin. You can find [**code example in this repo**](https://github.com/cyllective/malfluence). These are some of the actions a malicious plugin could perform: * **Hiding Plugins from Admins**: It's possible to hide the malicious plugin injecting some front-end javascript * **Exfiltrating Attachments and Pages**: Allow to access and exfiltrate all the data. * **Stealing Session Tokens**: Add an endpoint that will echo the headers in the response (with the cookie) and some javascript that will contact it and leak the cookies. * **Command Execution**: Ofc it's possible to create a plugin that will execute code. * **Reverse Shell**: Or get a reverse shell. * **DOM Proxying**: If the confluence is inside a private network, it would be possible to establish a connection through the browser of some user with access to it and for example contact the server command executing through it.
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). {% embed url="https://www.stmcyber.com/careers" %} {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}