hacktricks/network-services-pentesting/pentesting-web/jira.md

5.2 KiB

JIRA

Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Ikiwa una nia ya kazi ya udukuzi na kudukua yasiyodukuzika - tunakupa kazi! (inahitajika uwezo wa kuandika na kuzungumza Kipolishi kwa ufasaha).

{% embed url="https://www.stmcyber.com/careers" %}

Angalia Mamlaka

Katika Jira, mamlaka zinaweza kuchunguzwa na mtumiaji yeyote, aliyejithibitisha au la, kupitia vituo vya /rest/api/2/mypermissions au /rest/api/3/mypermissions. Vituo hivi hufunua mamlaka ya sasa ya mtumiaji. Wasiwasi muhimu unatokea wakati watumiaji wasiothibitishwa wanashikilia mamlaka, ikionyesha hitilafu ya usalama ambayo inaweza kuwa na uwezekano wa kustahiki tuzo. Vivyo hivyo, mamlaka zisizotarajiwa kwa watumiaji waliothibitishwa pia zinaonyesha hitilafu ya usalama.

Sasisho muhimu lilifanywa tarehe 1 Februari 2019, likihitaji vituo vya 'mypermissions' kuwa na parameta ya 'ruhusa'. Mahitaji haya yanakusudia kuimarisha usalama kwa kufafanua mamlaka yanayoulizwa: angalia hapa

  • ADD_COMMENTS
  • ADMINISTER
  • ADMINISTER_PROJECTS
  • ASSIGNABLE_USER
  • ASSIGN_ISSUES
  • BROWSE_PROJECTS
  • BULK_CHANGE
  • CLOSE_ISSUES
  • CREATE_ATTACHMENTS
  • CREATE_ISSUES
  • CREATE_PROJECT
  • CREATE_SHARED_OBJECTS
  • DELETE_ALL_ATTACHMENTS
  • DELETE_ALL_COMMENTS
  • DELETE_ALL_WORKLOGS
  • DELETE_ISSUES
  • DELETE_OWN_ATTACHMENTS
  • DELETE_OWN_COMMENTS
  • DELETE_OWN_WORKLOGS
  • EDIT_ALL_COMMENTS
  • EDIT_ALL_WORKLOGS
  • EDIT_ISSUES
  • EDIT_OWN_COMMENTS
  • EDIT_OWN_WORKLOGS
  • LINK_ISSUES
  • MANAGE_GROUP_FILTER_SUBSCRIPTIONS
  • MANAGE_SPRINTS_PERMISSION
  • MANAGE_WATCHERS
  • MODIFY_REPORTER
  • MOVE_ISSUES
  • RESOLVE_ISSUES
  • SCHEDULE_ISSUES
  • SET_ISSUE_SECURITY
  • SYSTEM_ADMIN
  • TRANSITION_ISSUES
  • USER_PICKER
  • VIEW_AGGREGATED_DATA
  • VIEW_DEV_TOOLS
  • VIEW_READONLY_WORKFLOW
  • VIEW_VOTERS_AND_WATCHERS
  • WORK_ON_ISSUES

Mfano: https://domain-yako.atlassian.net/rest/api/2/mypermissions?permissions=BROWSE_PROJECTS,CREATE_ISSUES,ADMINISTER_PROJECTS

#Check non-authenticated privileges
curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'

Uchambuzi wa kiotomatiki

Ikiwa una nia katika kazi ya udukuzi na kudukua yasiyoweza kudukuliwa - tunakupa kazi! (ujuzi wa Kipolishi wa kuandika na kusema unahitajika).

{% embed url="https://www.stmcyber.com/careers" %}

Jifunze udukuzi wa AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks: