1. CVE-2020-14179 (Information Disclosure)
a. Navigate to
b. It leaks information about custom fields, custom SLA, etc.
2. CVE-2020-14181 (User Enumeration)
a. Navigate to
#Learn365 Day-4: Unauthenticated & Exploitable JIRA Vulnerabilities
There are multiple security vulnerabilities associated with the various versions of JIRA software which are exploited in wild and is one of my personal favourite 3rd Party apps to hunt.
#BugBountyTips
(1/n)
1. CVE-2020-14179 (Information Disclosure)
a. Navigate to
b. It leaks information about custom fields, custom SLA, etc.
2. CVE-2020-14181 (User Enumeration)
a. Navigate to
3. CVE-2020-14178 (Project Key Enumeration)
a. Navigate to
b. Observe the error message on valid vs. invalid project key. Apart from the Enumeration, you can often get unauthenticated access to the project if the protections are not in place.
4. CVE-2019-3402 (XSS)
a. Navigate to
5. CVE-2019-11581 (SSTI)
a. Navigate to
6. CVE-2019-3396 (Path Traversal)
7. CVE-2019-8451 (SSRF)
a. Navigate to
8. CVE-2019-8451 (SSRF)
a. Navigate to
9. CVE-2019-8449 (User Information Disclosure)
a. Navigate to
b. Observe that the user related information will be available.
10. CVE-2019-3403 (User Enumeration)
a. Navigate to
b. Observe the difference in response when valid vs. invalid user is queried.
11. CVE-2019-8442 (Sensitive Information Disclosure)
a. Navigate to
b. Observe that the pom.xml file is accessible.
Tools: Nuclei Template can be used to automate most of these CVEs Detection.
H1 Reports:
- https://t.co/AaXKHt4NZZ
- https://t.co/hNrzpDgB5A
Blogs:
- https://t.co/ZMVc80vrYQ
More from Software
Software architecture is in crisis, and the way to fix it is a hefty dose of anarchy.
Some lay the blame for this on @boicy with the whole microservices thing.
(Admittedly, @nicolefv, @jezhumble and @realgenekim didn’t help when they statistically proved that he might have been onto something with all that de-coupling and team-alignment…)
However I don’t blame him at all.
I think he saved us; bringing us back to the path of value-delivery and independent services, but now with added independent teams.
But one thing is clear. Microservices need more architecture, not less (as do other forms of #Accelerate-style software organisation).
(See https://t.co/B2hWmXhIqe if you need convincing)
I mean, all those pesky slices we need to carve up our monoliths (or were they big balls of mud?) That’s a significant amount of work right there…
Some lay the blame for this on @boicy with the whole microservices thing.
(Admittedly, @nicolefv, @jezhumble and @realgenekim didn’t help when they statistically proved that he might have been onto something with all that de-coupling and team-alignment…)
However I don’t blame him at all.
I think he saved us; bringing us back to the path of value-delivery and independent services, but now with added independent teams.
But one thing is clear. Microservices need more architecture, not less (as do other forms of #Accelerate-style software organisation).
(See https://t.co/B2hWmXhIqe if you need convincing)
I mean, all those pesky slices we need to carve up our monoliths (or were they big balls of mud?) That’s a significant amount of work right there…
🚨 🦮 Seven ways to test for accessibility using only what is already in browser developer tools of Chromium browsers https://t.co/C7kdbigHGE
@MSEdgeDev @EdgeDevTools @ChromiumDev
#tools #accessibility #browsers
Also, a thread: 👇🏼
Issues pane, powered by @webhintio, listing accessibility issues with explanations why these are problems, links to more info and direct links to the tools where to fix the problem. https://t.co/4K5RynHhbg
The inspect element overlay showing accessibility relevant information of the element, including contrast information, ARIA name, role and if it can be focused via keyboard.
Colour picker with contrast information offering colours that are AA/AAA compliant. You can also see compliant colours indicated by a line on the colour patch.
Note: the current algorithm fails to take font weight into consideration, that's why there will be a new one.
Vision deficit ("colour blindness") emulation. You can see what your product looks like for different visitors.
https://t.co/bxj1vySCAb
@MSEdgeDev @EdgeDevTools @ChromiumDev
#tools #accessibility #browsers
Also, a thread: 👇🏼
Issues pane, powered by @webhintio, listing accessibility issues with explanations why these are problems, links to more info and direct links to the tools where to fix the problem. https://t.co/4K5RynHhbg
The inspect element overlay showing accessibility relevant information of the element, including contrast information, ARIA name, role and if it can be focused via keyboard.
Colour picker with contrast information offering colours that are AA/AAA compliant. You can also see compliant colours indicated by a line on the colour patch.
Note: the current algorithm fails to take font weight into consideration, that's why there will be a new one.
Vision deficit ("colour blindness") emulation. You can see what your product looks like for different visitors.
https://t.co/bxj1vySCAb
Are you a Designer or a Developer?👨💻
Here are some Google Chrome extensions that can make you better in 2021. 🔥🍀
(Thread) 🧵👇
1. https://t.co/zGir5E5U0J: https://t.co/PVx1wlX0Se is the easiest way to stay updated on the latest programming news. Get the hottest dev news from the best tech blogs on any topic you can think of.
2. CSS Peeper: CSS Peeper is a CSS viewer tailored for Designers. Get access to useful styles with our Chrome extension. Its mission is to let Designers focus on design, and spend as little time as possible digging in a
3. UX Check: UX Check makes heuristic evaluations quick and easy. The extension will open up Nielsen's Ten Heuristics in a side pane next to your website.
4. Checkbot: Checkbot finds critical SEO, speed & security problems before your website visitors do
Tests 100s of pages at once for broken links, duplicate titles, invalid HTML, insecure pages, and 50+ other
Here are some Google Chrome extensions that can make you better in 2021. 🔥🍀
(Thread) 🧵👇
1. https://t.co/zGir5E5U0J: https://t.co/PVx1wlX0Se is the easiest way to stay updated on the latest programming news. Get the hottest dev news from the best tech blogs on any topic you can think of.
2. CSS Peeper: CSS Peeper is a CSS viewer tailored for Designers. Get access to useful styles with our Chrome extension. Its mission is to let Designers focus on design, and spend as little time as possible digging in a
3. UX Check: UX Check makes heuristic evaluations quick and easy. The extension will open up Nielsen's Ten Heuristics in a side pane next to your website.
4. Checkbot: Checkbot finds critical SEO, speed & security problems before your website visitors do
Tests 100s of pages at once for broken links, duplicate titles, invalid HTML, insecure pages, and 50+ other
