Jira & Confluence
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
If you are interested in hacking career and hack the unhackable - we are hiring! (fluent polish written and spoken required).
Katika Jira, privileges zinaweza kuangaliwa na mtumiaji yeyote, aliyeidhinishwa au la, kupitia endpoints /rest/api/2/mypermissions au /rest/api/3/mypermissions. Endpoints hizi zinaonyesha privileges za sasa za mtumiaji. Wasiwasi mkubwa unatokea wakati watumiaji wasio na uthibitisho wana privileges, ikionyesha udhaifu wa usalama ambao unaweza kuwa na haki ya bounty. Vivyo hivyo, privileges zisizotarajiwa kwa watumiaji walioidhinishwa pia zinaonyesha udhaifu.
Sasisho muhimu lilifanywa tarehe 1 Februari 2019, likihitaji endpoint 'mypermissions' kujumuisha 'parameter ya ruhusa'. Mahitaji haya yanakusudia kuimarisha usalama kwa kubainisha privileges zinazoulizwa: check it here
ADD_COMMENTS
ADMINISTER
ADMINISTER_PROJECTS
ASSIGNABLE_USER
ASSIGN_ISSUES
BROWSE_PROJECTS
BULK_CHANGE
CLOSE_ISSUES
CREATE_ATTACHMENTS
CREATE_ISSUES
CREATE_PROJECT
CREATE_SHARED_OBJECTS
DELETE_ALL_ATTACHMENTS
DELETE_ALL_COMMENTS
DELETE_ALL_WORKLOGS
DELETE_ISSUES
DELETE_OWN_ATTACHMENTS
DELETE_OWN_COMMENTS
DELETE_OWN_WORKLOGS
EDIT_ALL_COMMENTS
EDIT_ALL_WORKLOGS
EDIT_ISSUES
EDIT_OWN_COMMENTS
EDIT_OWN_WORKLOGS
LINK_ISSUES
MANAGE_GROUP_FILTER_SUBSCRIPTIONS
MANAGE_SPRINTS_PERMISSION
MANAGE_WATCHERS
MODIFY_REPORTER
MOVE_ISSUES
RESOLVE_ISSUES
SCHEDULE_ISSUES
SET_ISSUE_SECURITY
SYSTEM_ADMIN
TRANSITION_ISSUES
USER_PICKER
VIEW_AGGREGATED_DATA
VIEW_DEV_TOOLS
VIEW_READONLY_WORKFLOW
VIEW_VOTERS_AND_WATCHERS
WORK_ON_ISSUES
Mfano: https://your-domain.atlassian.net/rest/api/2/mypermissions?permissions=BROWSE_PROJECTS,CREATE_ISSUES,ADMINISTER_PROJECTS
Kama ilivyoonyeshwa katika blog, katika nyaraka kuhusu Plugin modules ↗ inawezekana kuangalia aina tofauti za plugins, kama:
REST Plugin Module ↗: Fichua RESTful API endpoints
Servlet Plugin Module ↗: Weka Java servlets kama sehemu ya plugin
Macro Plugin Module ↗: Tekeleza Confluence Macros, yaani, templates za HTML zenye vigezo
Hii ni mfano wa aina ya macro plugin:
It's possible to observe that these plugins might be vulnerable to common web vulnerabilities like XSS. For example the previous example is vulnerable because it's reflecting data given by the user.
Once a XSS is found, in this github repo you can find some payloads to increase the impact of the XSS.
This post describes different (malicious) actions that could perform a malicious Jira plugin. You can find code example in this repo.
These are some of the actions a malicious plugin could perform:
Kuficha Plugins kutoka kwa Wasimamizi: It's possible to hide the malicious plugin injecting some front-end javascript
Kuchukua Viambatisho na Kurasa: Allow to access and exfiltrate all the data.
Kuhujumu Token za Session: Add an endpoint that will echo the headers in the response (with the cookie) and some javascript that will contact it and leak the cookies.
Kutekeleza Amri: Ofc it's possible to create a plugin that will execute code.
Reverse Shell: Or get a reverse shell.
DOM Proxying: If the confluence is inside a private network, it would be possible to establish a connection through the browser of some user with access to it and for example contact the server command executing through it.
If you are interested in hacking career and hack the unhackable - we are hiring! (fluent polish written and spoken required).
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
