Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Each instance of Jira Align (some Atlassian product) is deployed within an AWS EC2 environment. The endpoint ManageJiraConnectors has a parameter called txtAPIURL to which the URL pointed to a Jira API location.

Jira Align automatically adds /rest/api/2/ to this endpoint. However, this appending can be bypassed by adding a URL fragment (#) to the end of the URL. As a result, the attacker is in fully control of the URL being used. Now, we control the URL and path of the request being made, making this a major SSRF bug.

To exploit this in an AWS environment, the AWS metadata endpoint could be specified. The Jira API URL would return the full body in the Jira Change log. Since we requested the AWS metadata endpoint, this leaks the credentials for the EC2 instance. From there, further privilege escalation could be attempted.

An additional bug was discovered on the application as well. The people role permission (which is very low level) could change any user's role. This includes themselves! So, they could become a Super Admin just by changing the roles themselves. Overall, a good and short writeup explaining the vulnerabilities.