Hi everyone It’s been a while since my last post but I’m back, I want to tell you a short story about the Atlassian bug bounty program and why you can always check the basic payloads because you will surprise that some times will work:
This blogpost appeared first in the book Bug Bounty Write Ups Collection
Title: XSS stored on file https://api.media.atlassian.com on iOS browsers via msoffice (doc) file.
Product / URL: Any associated *.atlassian.com or *.atl-paas.net domain that can be exploited DIRECTLY from the *.atlassian.net instance
Report sent via Bugcrowd Atlassian Program
Hi Atlassian team.
I’ve found a XSS stored on file https://api.media.atlassian.com on iOS browsers via msoffice (doc) file
2.-Look to any confluence public page (In my case I created a confluence test page with anonymous permissions https://bugbounty-test-omespino.atlassian.net) that allow post comments via anonymous user and post the document as a comment (XSS-iOS-omespino.doc file attached):
Something important to highlight is: At this time you have a “magic” link that points directly to the doc special crafted document.
3.- Copy the URL to the word document and paste it in any iOS browser like Safari, Firefox, Chrome, or Opera, then click the hyperlink and see the XSS shows up, since is a confluence public page, you don’t need to be logged in.
Stored XSS allows an attacker to embed a malicious and arbitraries scripts into a vulnerable page, which is then executed when a victim views the page.
iPhone 6 – iOS v11.2.5.
Safari Lastest version
Google Chrome / Safaria Lastest version
My personal email account and all testing was seding emails to myself.
Feb 19, 2018: Sent the report to Atlassian team
Feb 21, 2018: Got a message from Atlassian team that they could not replicate the bug
Feb 22, 2018: Sent clarification to Atlassian team
Mar 05, 2018: Report triaged
Mar 19, 2018: Fixed and rewarded
Well that’s it, share your thoughts, what do you think about how they handle that security issue? If you have any doubt, comments or suggestions just drop me a line here or on Twitter @omespino, read you later.