Weaponizing BURP to work as an evil SSRF Confluence Server.

I was doing bounty on a private H1 program that interacts with various external services one of them was Atlassian Confluence and Jira.

As you know, you can run Atlassian on their cloud service at Atlassian.net, or in your own server. The Web application provided an input box to the URL and another input to the token to auth.

I created a Confluence wiki at atlassian.net, created a wiki page, wrote a few strings and added attachments, connected to this application, and the application downloaded completely the wiki page with their attachments on separate files.

What if I try to emulate an Atlassian server and manage to serve a 302 redirect at the time of serving the wiki attachments?

Let’s make a try,

The first thing that I did, was to open 8081 port to my router, and set up Burp to forward all the traffic to Atlassian IP so I redirected my HTTP traffic to HTTPS Atlassian IP like this:

The first MUST rule to add to search and replace is changing Host: MYOWNIP to Host: testwiki.atlassian.net. Otherwise, the Atlassian server will don’t know how to forward my traffic because that hostname with my IP is not on their WebServer config.

I tried the application on the testing app and It worked, the first HTTP request was forwarded, but all the next requests was going back to testwiki.atlassian.net.
I had to add a second match and replace this time in the Response Body, to find all https://testwiki.atlassian.net and change them to http://MYIP:8081.

After those 2 “match and replace” rules, on HTTP Proxy I could sniff and see all the HTTP Requests between the App and the Confluence server, so I waited for the app to try to synch attachments

And the HTTP Request was like this:

GET /wiki/download/attachments/229377/mobile_login_screen.png?version=1&modificationDate=1575987229920&cacheVersion=1&api=v2 HTTP/1.1
Host: testwiki.atlassian.net

With Response:

HTTP/1.1 302 Found 
Server: AtlassianProxy/
Cache-Control: private, max-age=2880
Content-Type: text/html;charset=UTF-8
Strict-Transport-Security: max-age=315360000; includeSubDomains; preload
Date: Tue, 10 Dec 2019 14:47:32 GMT
ATL-TraceId: 8b71903514af8688
Location: https://api.media.atlassian.com/file/56a6cf71-cb37-473d-ba1b-9d5fbab9f2d3/binary?token=eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiI2Y2M5MmM2YS0xMzc5LTQ0ZmEtODJjMy02OTM3N2ZlMmEyZDciLCJhY2Nlc3MiOnsidXJuOmZpbGVzdG9yZTpmaWxlOjU2YTZjZjcxLWNiMzctNDczZC1iYTFiLTlkNWZiYWI5ZjJkMyI6WyJyZWFkIl19LCJleHAiOjE1NzYwNzIxNzIsIm5iZiI6MTU3NTk4OTE5Mn0.PMUm-azK6W-pxtssU_acN6Ut4ZZRXWJGxsE17m1JAfk&client=6cc92c6a-1379-44fa-82c3-69377fe2a2d7&name=mobile_login_screen.png&max-age=2940

And you can see the Location redirect to api.media.atlassian.com, that’s AWESOME.

A simple match/replace rule with regex, a test and finally:

HTTP Proxy showed up the original response and the modified with match/replace one.

And now all the attachments were 205 bytes with the access token inside of them. YEAH!

Burp helped me a lot on this one, otherwise, I would have to set up an HTTP Proxy with logs to sniff al the traffic, emulate each JSON request with PHP, Python or whatever scripting software you feel comfortable.
This method from start to end took me about an hour, but coding myself a proxy script and emulate all could have taken me a whole day. Thumbs up to Burp to be a bounty hunting tool and a proxy weapon sometimes too! That license worth every penny.

H1 Profile: https://hackerone.com/edduu
Twitter: https://twitter.com/MasterSEC_AR




It Security company from Argentina. Penetration Testing, Red Team, Bug Bounty, Training.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Master SEC

Master SEC

It Security company from Argentina. Penetration Testing, Red Team, Bug Bounty, Training.

More from Medium

My Reason for Writing on Medium as a Bug Bounty Hunter

Intigriti — XSS Challenge — January 2022 — Bug Bounty Hunting — Writeup

How I was able to read any users confidential reports on a public level domain