WRITE UP – ATLASSIAN BUG BOUNTY: XSS STORED IN API.MEDIA.ATLASSIAN.COM VIA DOC FILE (IOS)

Introduction:


Hi everyone It’s been a while since my last post but I’m back, I want to tell you a short story about the Atlassian bug bounty program and why you can always check the basic payloads because you will surprise that some times will work:

This blogpost appeared first in the book Bug Bounty Write Ups Collection


Title: XSS stored on file https://api.media.atlassian.com on iOS browsers via msoffice (doc) file.

Product / URL: ​Any associated *.atlassian.com or *.atl-paas.net domain that can be exploited DIRECTLY from the *.atlassian.net instance

Report sent via Bugcrowd Atlassian Program

Hi Atlassian team.

I’ve found a XSS stored on file https://api.media.atlassian.com on iOS browsers via msoffice (doc) file

POC:

1.- Create a msoffice document per example a word office document with an hyperlink pointing to the url address “javascript:alert(1)//%22onclick=alert(2)//” and save as “Word 97-2003 Document”, Is very important save the doc as 97-2003, if you don’t save the document as this version the bug reproduction may not work.

2.-Look to any confluence public page (In my case I created a confluence test page with anonymous permissions https://bugbounty-test-omespino.atlassian.net) that allow post comments via anonymous user and post the document as a comment (XSS-iOS-omespino.doc file attached):

Something important to highlight is: At this time you have a “magic” link that points directly to the doc special crafted document. ​

3.- Copy the URL to the word document and paste it in any iOS browser like Safari, Firefox, Chrome, or Opera, then click the hyperlink and see the XSS shows up, since is a confluence public page, you don’t need to be logged in.



Impact:

Stored XSS allows an attacker to embed a malicious and arbitraries scripts into a vulnerable page, which is then executed when a victim views the page.

Environment:

iPhone 6 – iOS v11.2.5.
​Safari Lastest version
Google Chrome / Safaria Lastest version
​My personal email account and all testing was seding emails to myself.

Report Timeline:

Feb 19, 2018: Sent the report to Atlassian team
Feb 21, 2018: Got a message from Atlassian team that they could not replicate the bug
Feb 22, 2018: Sent clarification to Atlassian team
Mar 05, 2018: Report triaged
Mar 19, 2018: Fixed and rewarded

Well that’s it, share your thoughts, what do you think about how they handle that security issue? If you have any doubt, comments or suggestions just drop me a line here or on Twitter @omespino, read you later.

Leave a Reply

Your email address will not be published.