0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

Update page 

to reflect changes in the API
This commit is contained in:
N7WEra 2023-12-11 14:25:00 +00:00 committed by GitHub
parent ef14d419ab
commit 08a6342a99
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
network-services-pentesting/pentesting-web/jira.md
View File

@ -23,6 +23,15 @@ Inside a Jira instance **any user** (even **non-authenticated**) can **check its
If a **non-authenticated** user have any **privilege**, this is a **vulnerability** (bounty?).\
If an **authenticated** user have any **unexpected privilege**, this a a **vuln**.
Update: As of 18th September 2023 - the 'mypermissions' endpoint requires a 'permission' parameter with one of the following parameters
[https://developer.atlassian.com/cloud/jira/platform/change-notice-get-my-permissions-requires-permissions-query-parameter/#change-notice---get-my-permissions-resource-will-require-a-permissions-query-parameter](https://developer.atlassian.com/cloud/jira/platform/change-notice-get-my-permissions-requires-permissions-query-parameter/#change-notice---get-my-permissions-resource-will-require-a-permissions-query-parameter)
- BROWSE_PROJECTS
- CREATE_ISSUES
- ADMINISTER_PROJECTS
Example: `https://your-domain.atlassian.net/rest/api/2/mypermissions?permissions=BROWSE_PROJECTS,CREATE_ISSUES,ADMINISTER_PROJECTS`
```bash
#Check non-authenticated privileges
curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'