What We've Learned From Exposing Atlassian On The Internet

asure ad entra ID whatever a for Simplicity in in that case and this redirects you to Microsoft domain where you need to present your authentication it's quite obvious and plus minus reflect the uh the stuff from from the previous slide what you actually would like to expect when you deploy this in in a proper way when you go to uh something like customer portal which is service desk from Atlant you will be redirected to this page right so anything that's go after this SL valava should be redirected to a a to implement zero trust in in such a concept when you try to implement something like or call SQL injection or something W should block it as well as you could add some

interesting stuff like sign up for customer portal uh which potentially can be configured to block within the atlas and project but you could do this also through V basically saying whatever you go to this page just block it so it's something in in in front of uh any your application behind uh starting blocking it so it's cool this is how it should be expected however uh you know misconfiguration happens and uh we started discussing with uh another guy from my team like okay what we can do with this and basically stuff we tested during this deployment procedure from on PR to Cloud it was looked good but maybe because of uh different plugins like people just deploying plugin slack or

deploying other things that uh potentially needs to be uh integrate integrated into uh jur so they uh present also some uh vaff White lists because those plugins doesn't work pretty good with some uh vaff in front of jur or uh uh any any uh application U in the uh back end so what we did we just put it uh OS destination which means nothing in that uh sense and put it just SL slack slash which basically bypass the V at all because of misconfiguration right it's stupid but it was also some somewhere recommendation from uh from the old stuff when you do on Prem to just uh wh list the stuff so they did it and we use

this stuff to also access application without authentication because uh you um you do not redirect after that so you could access the application outside from uh from the uh redirection page which means open us a possibility for example for brute forcing or some other things so we can log on into Jura not using ad a ad aure ad but using direct uh communication with with J because the credentials somewhere stored or synced and um we also started a little bit you know uh playing around and looking what what what we can do we also find another one uh here which is uh States for uh SL security uh bypassing stuff from VA and also bypassing uh SSO

so uh we started uh looking into our web page or our uh deployment instances from Anonymous perspective there is no login at all right now this is what also was last week reported by by L that you need to to fix it and be careful and uh we also confirm and the same stuff by uh going to browser.com just uh browser and browser just like rabbit hole how far you would would like to go so we opened our instance from somewhere outside of the world completely outside and we found that there is anonymous stuff so what you could do actually with this first uh you could uh think about like you if you put into offensive hat into

your persp perspective you could actually start creating cases by creating cases you can actually look into what systems is referred to so it's basically uh eneration information gathering from the system that you use inside from outside without any authentication at all it's not probably very critical but if you put all together and we heard about those in stuff today so it's might be very interesting so we we created F case uh by creating then just go to or went as a normal user to to that and also look into who was uh Creator or reporter in that case it was actually Anonymous so it was confirmation that anyone on the internet could create cases within our

jury instances which leads to many other things if you look back into herc and so on so forth so someone can explode those bus from before to actually put some code that which will call back to your infrastructure we said okay fine uh reported back to security uh Team who dealing with this stuff they fixed and we said okay fine what else we can do we just started looking into the search button also find some uh not saying for you maybe information but it's actually interesting some some of the project were publicly available so when we moved from on Prem to Cloud no one looked into I am identity and access management within the project uh in jur because

previously it was within the company so everyone thought that uh you still need to be present uh within the infrastructure to be able to exploit it but right now it's actually available for everyone so yeah uh pretty pretty bad fix it in in a couple of hours but still was uh quite quite interes interesting discussion back and forth when they fixed it we thought okay Anonymous is blocked what else we can do uh obvious things is Brute Force right because we can bypass those sorry uh because we can bypass uh initial SSO redirection to uh a we could basically uh use whatever usernames and passwords just to test whether it works or not and uh since it's again remember from the

internet brute forcing your internal credentials in the system which is quite critical nice um we said okay fine maybe it's not a good idea just to to force attack maybe uh we need to find some another way so if you look back into this whole concept as a as said if you if you're sitting here you instead of going to web browser which redirects you there you could try to log on directly to the uh web application if you if you know where to go and therefore we uh started thinking okay why we can't just reset a password for user right we we can't for example uh get Anonymous access we can't Pro brute force or could depending on on the

quality of passwords but if you have access to the internal system or uh access to the uh one of the the emails of the users within the company which is yeah how many users inside your company I we have kind of lot lot like that no uh the whole point that if if you have access to the to the uh uh email itself of that of any user so you could do uh initiate this reset password and get access to the application Again by passing this uh a a a stuff and potentially bypassing uh conditional access MFA and all other those mechanism that you think protects your applications um we thought okay fine um when we started reporting they said yeah

you know we have another mechanism to to block this stuff access to the system they also pushed all or prioritized moving from old uh email stuff to the uh new uh provider we said okay fine what we can do next then Anonymous stuff blocked uh Brute Force probably not so efficient we uh uh uh we can reset but probably we can create some accounts right why not it's smart I mean just why not just do I I I use my own personal personal um email account and then use also some we uh some fake uh kind of ID we have stud br. ID which we interally use in offensive uh stuff we emulated one of the senior uh security consult

security analyst within sock uh to be look like him and also starting created cases because it's uh it's service desks so maybe it's possible to do something so just to show you that uh when you do private stuff I got a confirmation from from the J that you could create your own account thank you your private stuff yeah within the company then my private mail somewhere there as well but uh the most funny stuff since you are l g into this uh support uh uh portal you could start eneration or uh reconnaissance from internal user or as an internal user which mean that you could look into more details about what systems are used probably I know do

some register new application in cmdb I know maybe it's a good idea just create some some stuff there as well so Limitless stuff uh uh there but we started just direct things just show an impact of that and we started okay cool uh could we reset some password probably from some systems internally because the list is available right on the on the left side uh you see there are some some what is what is about and on the right side it's also uh when you created a case you could also share this case with users so basically on the right side here you have a list of all users registed within this system I mean for for an potential uh

um threat actor this is very useful information because you could basically spam those and uh the most interesting here that it's not only stud BR but it's also third party service providers that work for us or collaboration with us collaborating with us so lots of potential uh factors after that opens when you do this and interesting things uh here that uh of course social engineer we T support we just chosen a couple systems and say you know um we have a couple of fake users here uh and we're saying that uh this is our security analyst uh we said you know uh could you just set some password or something for me please and since uh jur

is um visualizing this stuff at the first name last name it's quite difficult actually to go inside and see who's behind this so we have um front light user with our fake uh uh fake domain and in front is saying that this is our real analyst which uh also test the procedure of uh password reset and other things but if you look into commands and details and so on so forth in that case it's see it in another one but you you could find this information who is behind right but but it's not trivial especially for the first line of support and we tried to uh create a couple of uh users this is our cisa in

stud brand so we created a fake user under ciso so and created a fake account of ciso so we created a two stop two-step communication so you ask the the uh password reset from that user and then uh get the confirmation from that fake ciso uh manager of that user so you could basically do communication and of course depending on the proc processes it could be different uh response in our case uh we haven't succeed but it's shown how you could use it uh in the further attacks and uh just yeah your imagine could stop you here and of course again back to those RCS and and so for so you you you also open uh stuff for like xss attacks and

everything else it's just example here that you could put whatever you want upload some pictures probably use as a C2 for communication with internal system through through jur cases maybe I don't know probably and ask for other uh other uh resets for passwords especially when you have initial compromise of any account internally in the system so um at a bonus on top of this we also found that it's possible to create a personal access tokens for users registered there so even the password reset the recovery is done and everything you could always have a back door inside basically having API tokens and then communicate with API to to J directly without MFA and other things uh related to that so it was like

a fun you know just couple of days of uh uh chasing offensive security just doing hacking and uh find new stuff and uh blue team uh trying to fix and also the uh Cloud um Architects trying to fix all the stuff related to uh SSO and vaff and uh what we learn uh or how we can summarize actually the impact so you first of all we started with Anonymous access we then uh say that okay fine if you can't do this you could go further to Brute Force reset password probably sign up for uh an account uh if it's possible uh or if one of those is done you could continue with eneration internally and probably continue with

social engineering and get more and more uh knowledge about internal resources and keep track with the uh with the user inside and as a bonus as I said it's a back door on top of that and what I would like to highlight here is that it's not about atlan project in general right because if you remember this entra IE this is uh the application that you put behind SSO could be anything whatever you have an integration with Sul you need to think to okay is it possible to bypass this Su with just going directly to sign up page of this application and just do something there so there are lots of things that you could say what went wrong uh but uh the

whole point for us is not to blame someone we actually also test uh the recovery possibilities so we we spent uh a couple of days uh together with uh moving back and forth back and forth but in a couple of days we fix it SSO redirect and uh uh vamous configurations and also on test environment and other things and uh having this experience and also opportunity to do when this confence stuff came we knew how to fix it we basically within 20 minutes we just added a couple of things to to BU and that's all and just looked into into locks and buff whether someone tried to access uh those uh links available on the public internet where the exploit uh

work so uh this is basically the the whole point not not to blame someone but try to improve your uh would like that nist uh CSF uh stuff like in uh recovery capabilities in that specific case thank you for your time thank you very much uh great use case that cloud is not always more secure any questions oh

back thanks very much uh fascinating talk thanks for that um I have two kind of related questions so one is um why is it sometimes necessary to put jira on the Internet is it Integrations B directional in Integrations that need access and second question what do you think of using SSO as a reverse proxy uh for J full stop so that you know none of these vulnerable paths are ever kind of reachable yeah I've so first question is um uh what was that yes when you un need actually put it there yes correct uh as I said moving to the cloud uh has some pieces you have budgets you have some limitations you need to move forward as quick as

possible and uh therefore you use techniques lift and shift right or approach where you do not think about redesign whole things or buying services and looking the into the past um and basically saying that everything that works please do not touch just yeah let it work right and when when when it's called or um comes to reverse proxim there are lots of mechanisms could be put it into place right and we thought or not we but the first line of defense thought that wff is more than enough to be able to protect from uh those uh stuff of attacks but uh as I said you could basically deploy you could test but you do not retest it

after a while so there are lots of changes made after the actual deployment lots of white listing of Integrations and so on so forth so it's kind of um bad security practices I would say but some uh it's it's around everything right so yeah you're right there are lots of mitigation measures could be in place okay any other questions okay okay then I have then I sorry then I have one question um you mentioned that the main vulnerability was due to the entra ID SSO authentication part so which you prevented the wff or you sented buff and then have you tried also other Cloud tools you are using and were successful with that it's not the main uh the the

main uh vulnerability is not about that it's a or something it's Main uh things there it's misconfiguration how we use those security tools and whether we configured them properly and whether we look into other ways of bypassing those instead of just going directly to the to the door right uh find some other windows or something so uh the point here is it's it could be any AD providers there but the whole flow of uh sample works in the same way you would would you would you use OCTA or I know Google St or Al zero or whatever it will be the same approximately the same stuff the whole point is that some previously known as

kers currently it's moved into Asia or not Asia but the internet they just moved another use another techniques to to actually give you a ticket right and uh with signatures and everything that you could present further to be able to uh authenticate and build trust between those two so answering the question there is uh this those attacks regardless of ID providers okay we could elaborate after the talk any other questions okay then again a round of applause for Alexander and thank you very much and now we have 30 minute break so see you [Applause]

later sorry sorry hi quick question so of course it's kind of like shifting from

the