Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Jira Unauthenticated Project Categories

By kannthu

Informative
Vidoc logoVidoc Module
#atlassian#jira
Description

Jira Unauthenticated Project Categories

What is the "Jira Unauthenticated Project Categories?"

The "Jira Unauthenticated Project Categories" module is designed to detect misconfigurations in Atlassian Jira, a popular project management software. It focuses on identifying project categories that can be accessed without authentication. This module is created by an unknown author.

This module has an informative severity level, which means it provides valuable information but does not pose a direct security risk.

Impact

If misconfigurations are found, unauthorized users may be able to view and modify project categories in Jira without proper authentication. This could lead to unauthorized access to sensitive project information and potential data breaches.

How the module works?

The module sends an HTTP GET request to the "/rest/api/2/projectCategory?maxResults=1000" endpoint in Jira. It includes specific matching conditions to ensure accurate detection:

- The response must have a status code of 200. - The response headers must contain the word "atlassian.xsrf.token". - The response body must contain the words "self", "description", and "name".

If all the matching conditions are met, the module reports a potential misconfiguration in the Jira instance.

Here is an example of the HTTP request sent by the module:

GET /rest/api/2/projectCategory?maxResults=1000

Note: The actual module definition is not shown here for simplicity.

It is important to regularly scan and address any misconfigurations in Jira to ensure the security and integrity of project data.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/rest/api/2/projectC...
Matching conditions
word: self, description, nameand
status: 200and
word: atlassian.xsrf.token
Passive global matcher
No matching conditions.
On match action
Report vulnerability