Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

Similar documents
Atlassian Crowdsourced Penetration Test Results: January 2018

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT

RiskSense Attack Surface Validation for Web Applications

C1: Define Security Requirements

Development*Process*for*Secure* So2ware

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Bugcrowd v1.6 - Nov. 2, 2018

Web Application Vulnerabilities: OWASP Top 10 Revisited

Web Application Whitepaper

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Web Application Threats and Remediation. Terry Labach, IST Security Team

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock

Application Security Approach

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Security Communications and Awareness

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Security Communications and Awareness

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Certified Secure Web Application Engineer

DevSecOps Shift Left Security. Prioritizing Incident Response using Security Posture Assessment and Attack Surface Analysis

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Web Applications Penetration Testing

Copyright

RiskSense Attack Surface Validation for IoT Systems

ShiftLeft. Real-World Runtime Protection Benchmarking

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

Applications Security

Synology Security Whitepaper

Presentation Overview

COMP9321 Web Application Engineering

Solutions Business Manager Web Application Security Assessment

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Security Solutions. Overview. Business Needs

V Conference on Application Security and Modern Technologies

Web Application Security. Philippe Bogaerts

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Vulnerability Assessments and Penetration Testing

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Protect Your Organization from Cyber Attacks

Engineering Your Software For Attack

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Managed Application Security trends and best practices in application security

Automating the Top 20 CIS Critical Security Controls

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Tale of a mobile application ruining the security of global solution because of a broken API design. SIGS Geneva 21/09/2016 Jérémy MATOS

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

SECURITY OF VEHICLE TELEMATICS SYSTEMS. Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic University

CSWAE Certified Secure Web Application Engineer

SECURITY TESTING. Towards a safer web world

Mitigating Security Breaches in Retail Applications WHITE PAPER

COMP9321 Web Application Engineering

THE ART OF SECURING 100 PRODUCTS. Nir

Secure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO

Continuously Discover and Eliminate Security Risk in Production Apps

CompTIA Exam CAS-002 CompTIA Advanced Security Practitioner (CASP) Version: 6.0 [ Total Questions: 532 ]

Application. Security. on line training. Academy. by Appsec Labs

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle

Professional Services Overview

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Computer Security Policy

Product Security Program

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Effective Strategies for Managing Cybersecurity Risks

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

MBFuzzer - MITM Fuzzing for Mobile Applications

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

10 FOCUS AREAS FOR BREACH PREVENTION

Trustwave Managed Security Testing

GDPR: An Opportunity to Transform Your Security Operations

GOING WHERE NO WAFS HAVE GONE BEFORE

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

De-risk Your Applications. SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY!

Trustwave Managed Security Testing

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

6-Points Strategy to Get Your Application in Security Shape

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

VMWARE HORIZON CLOUD SERVICE HOSTED INFRASTRUCTURE ONBOARDING SERVICE SILVER

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Ο ρόλος της τεχνολογίας στο ταξίδι της συμμόρφωσης με τον Γενικό Κανονισμό. Αντιγόνη Παπανικολάου & Νίκος Αναστόπουλος

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Web Application Penetration Testing

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Advanced Security Tester Course Outline

IBM Future of Work Forum

Large Scale Generation of Complex and Faulty PHP Test Cases

State of Software Security Report Volume 2. Jeff Ennis, CEH Solutions Architect Veracode

ROBOCYBERWALL INC. External Penetration Test Report. September 13, 2017

OWASP TOP OWASP TOP

Transcription:

Atlassian Software Development and Collaboration Tools Atlassian Bugcrowd Bounty Program Results Report created on October 04, 2017 Prepared by Ryan Black, Director of Technical Operations

Table of Contents 1 Executive Summary 2 Reporting and Methodology 3 4 3 Targets / Scope 5 4 Findings Summary 7 5 Appendix 9 6 Statement of Attestation 12 2 of 12

Executive Summary Atlassian engaged Bugcrowd, Inc. to host a Bug Bounty Program. An Bounty Program is a cutting-edge approach to an application assessment or penetration test. Traditional penetration tests use only one or two personnel to test an entire application, while a Bounty leverages a crowd of security researchers. This increases the probability of discovering esoteric issues that automated testing cannot find and that traditional vulnerability assessments may miss, in the same testing period. This report is just a summary of the information available. All details of the program's findings comments, code, and any researcher provided remediation information can be found in the Bugcrowd Crowdcontrol platform. The purpose of this engagement was to identify security vulnerabilities in the targets listed in the "Targets / Scope" section. Once identified, each vulnerability was rated for technical impact defined in the "Findings Summary" section of the report. Testing for Atlassian's targets occurred during the period of: 07/12/2017 10/05/2017. For this program, 636 researchers were invited to participate; 549 accepted the invitation. Submissions were received from 280 unique researchers. The continuation of this document summarizes the findings, analysis, and recommendations from the Bounty Program performed by Bugcrowd for Atlassian. 3 of 12

Reporting and Methodology Background The strength of crowdsourced testing lies in multiple researchers, the pay-for-results model, and the varied methodologies that the researchers implement. To this end, researchers are encouraged to use their own individual methodologies on Bugcrowd programs. The workflow of every Bugcrowd submission can be divided into the following four phases: Bugcrowd researchers who perform web application testing and vulnerability assessment usually subscribe to a variety of methodologies following the highlighted workflow, including the following: 4 of 12

Targets / Scope Scope Prior to the program launching, Bugcrowd worked with Atlassian to define the Rules of Engagement, commonly known as the bounty brief, which includes the scope of work. The following targets were considered explicitly in scope for testing: All details of the program scope and full bounty brief can be reviewed in the Bounty Brief. Any associated *.atlassian.io domain that can be exploited DIRECTLY from the *.atlassian.net instance Jira Cloud Mobile App for Android Jira Cloud Mobile App for ios Confluence Cloud Mobile App for Android Confluence Cloud Mobile App for ios JIRA (bugbounty-test-<bugcrowd-name>.atlassian.net) Confluence (bugbounty-test-<bugcrowd-name>.atlassian.net/wiki) JIRA Service Desk (bugbounty-test-<bugcrowdname>.atlassian.net) Confluence Team Calendars (https://www.atlassian.com/software/confluence/team-calendars) Bitbucket Pipelines (https://bitbucket.org/product/features/pipelines) SourceTree (https://www.sourcetreeapp.com/) https://bitbucket.org/ Confluence JIRA Software JIRA Core Jira Portfolio Confluence Questions HipChat Data Center HipChat Mobile Client 5 of 12

HipChat Desktop Client Crowd Crucible FishEye Bamboo Bitbucket Server JIRA Service Desk Team Overview The following Bugcrowd team members were assigned to this program: TEAM ROLE NAME Application Security Engineer Application Security Engineer Director of Technical Operations Director of Customer Success Jonathan Jay Turla Fatih Egbatan Ryan Black Abby Mulligan 6 of 12

Findings Summary Findings by Severity The following chart shows all valid assessment findings from the program by severity. Most of the valid vulnerability submissions to Atlassian program were classified as Moderate in technical severity. 24 Atlassian Bounty Program 22 20 18 16 14 Number of Submissions 12 10 8 6 4 2 0 P1 P2 P3 P4 Technical Severity 7 of 12

Risk and Priority Key The following key is used to explain how Bugcrowd rates valid vulnerability submissions and their technical severity. As a trusted advisor Bugcrowd also provides common "next steps" for program owners per severity category. TECHNICAL SEVERITY CRITICAL Critical severity submissions (also known as "P1" or "Priority 1") are submissions that are escalated to Atlassian as soon as they are validated. These issues warrant the highest security consideration and should be addressed immediately. Commonly, submissions marked as Critical can cause financial theft, unavailability of services, large-scale account compromise, etc. EXAMPLE VULNERABILITY TYPES Remote Code Execution Vertical Authentication Bypass XML External Entities Injection SQL Injection Insecure Direct Object Reference for a critical function HIGH High severity submissions (also known as "P2" or "Priority 2") are vulnerability submissions that should be slated for fix in the very near future. These issues still warrant prudent consideration but are often not availability or "breach level" submissions. Commonly, submissions marked as High can cause account compromise (with user interaction), sensitive information leakage, etc. Lateral authentication bypass Stored Cross-Site Scripting Cross-Site Request Forgery for a critical function Insecure Direct Object Reference for a important function Internal Server-Side Request Forgery MODERATE Moderate severity submissions (also known as "P3" or "Priority 3") are vulnerability submissions that should be slated for fix in the major release cycle. These vulnerabilities can commonly impact single users but require user interaction to trigger or only disclose moderately sensitive information. Reflected Cross-Site Scripting with limited impact Cross-Site Request Forgery for a important function Insecure Direct Object Reference for an unimportant function LOW Low severity submissions (also known as "P4" or "Priority 4") are vulnerability submissions that should be considered for fix within the next six months. These vulnerabilities represent the least danger to confidentiality, integrity, and availability. Cross-Site Scripting with limited impact Cross-Site Request Forgery for an unimportant function External Server-Side Request Forgery INFORMATIONAL Informational submissions (also known as "P5" or "Priority 5") are vulnerability submissions that are valid but out-of-scope or are "won t fix" issues, such as best practices. Lack of code obfuscation Autocomplete enabled Non-exploitable SSL issues Bugcrowd s Vulnerability Rating Taxonomy More detailed information regarding our vulnerability classification can be found at: https://bugcrowd.com/vrt 8 of 12

Appendix Included in this appendix are auxiliary metrics and insights into the Bounty program. This includes information regarding submissions over time, payouts, prevalent issue types, and how the program compared to an aggregate of all Bugcrowd programs. Submissions Over Time The timeline below shows submissions received and validated by the Bugcrowd team: Submissions Over Time validated received 60 55 50 45 40 35 30 25 20 15 10 5 0 11-10 12-13 01-15 02-17 03-22 04-24 05-27 06-29 08-01 09-03 Submissions signal A total of 664 submissions were received, with 91 unique valid issues discovered. Bugcrowd identified 110 duplicate and 1 informational submissions, and removed 474 invalid submissions. The ratio of unique valid submissions to noise was 14%, which is lower than the average ratio of 32% across Bugcrowd's other On-Demand programs. SUBMISSION OUTCOME COUNT Ratio of Unique Valid Submissions to Noise Valid 91 Invalid 474 Informational 1 Duplicate 110 Total 664 100% 75% 50% 25% 0% 14% Atlassian 32% Average Bugcrowd On-Demand Program 9 of 12

Bug Types Overview A comparison of the distribution of submissions across bug types for the program to that of Bugcrowd's other programs is shown below. Atlassian Other Cross-Site Scripting (XSS) Server Security Misconfiguration Sensitive Data Exposure Cross-Site Request Forgery (CSRF) Missing Function Level Access Control Broken Authentication and Session Management Server-Side Injection Unvalidated Redirects and Forwards Insecure Direct Object References (IDOR) Client-Side Injection Insecure Data Storage Application-Level Denial-of-Service (DoS) Insufficient Security Configurability Using Components with Known Vulnerabilities Privacy Concerns Lack of Binary Hardening External Behavior Mobile Security Misconfiguration Insecure OS/Firmware Broken Cryptography Insecure Data Transport Average On-Demand Program Other Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) Server-Side Injection Mobile Security Misconfiguration Broken Authentication and Session Management Server Security Misconfiguration Insecure Direct Object References (IDOR) Sensitive Data Exposure Unvalidated Redirects and Forwards Missing Function Level Access Control Application-Level Denial-of-Service (DoS) Insufficient Security Configurability Client-Side Injection External Behavior Insecure OS/Firmware Insecure Data Storage Broken Cryptography Privacy Concerns Insecure Data Transport 10 of 12

Statement of Attestation October 04, 2017 Bugcrowd Inc. 921 Front Street San Francisco, CA 94111 Introduction Between the dates of 07/12/2017-10/05/2017, Atlassian engaged Bugcrowd Inc. to host a Bounty Program. During this time, 280 researchers from Bugcrowd submitted a total of 664 vulnerability submissions against Atlassian s targets. The purpose of this assessment was to identify security issues that could adversely affect the integrity of Atlassian. Testing focused on the following: 1. Any associated *.atlassian.io domain that can be exploited DIRECTLY from the *.atlassian.net instance 2. Jira Cloud Mobile App for Android 3. Jira Cloud Mobile App for ios 4. Confluence Cloud Mobile App for Android 5. Confluence Cloud Mobile App for ios 6. JIRA (bugbounty-test-<bugcrowd-name>.atlassian.net) 7. Confluence (bugbounty-test-<bugcrowd-name>.atlassian.net/wiki) 8. JIRA Service Desk (bugbounty-test-<bugcrowd-name>.atlassian.net) 9. Confluence Team Calendars (https://www.atlassian.com/software/confluence/teamcalendars) 10. Bitbucket Pipelines (https://bitbucket.org/product/features/pipelines) 11. SourceTree (https://www.sourcetreeapp.com/) 12. https://bitbucket.org/ 13. Confluence 14. JIRA Software 15. JIRA Core 16. Jira Portfolio 17. Confluence Questions 18. HipChat Data Center 19. HipChat Mobile Client 20. HipChat Desktop Client 21. Crowd 22. Crucible 23. FishEye 24. Bamboo 25. Bitbucket Server 26. JIRA Service Desk The assessment was performed under the guidelines provided in the statement of work between Atlassian and Bugcrowd. This letter provides a high-level overview of the testing performed, and the result of that testing. 11 of 12

Bounty Program Overview An Bounty Program is a novel approach to a penetration test or security assessment. Traditional penetration tests use only one or two researchers to test an entire scope of work, while a Bounty Program leverages a crowd of security researchers. This increases the probability of discovering esoteric issues that automated testing cannot find and that traditional vulnerability assessments may miss, in the same testing period. It is important to note that this document represents a point-in-time evaluation of security posture. Security threats and attacker techniques evolve rapidly, and the results of this assessment are not intended to represent an endorsement of the adequacy of current security measures against future threats. This Statement of Attestation contains information in summary form and is therefore intended for general guidance only; it is not intended as a substitute for detailed research or the exercise of professional judgment. The information presented here should not be construed as professional advice or service. Testing Methods This security assessment leveraged researchers that used a combination of proprietary, public, automated, and manual test techniques throughout the assessment. Commonly tested vulnerabilities include code injection, cross-site request forgery, cross-site scripting, insecure storage of sensitive data, authorization/authentication vulnerabilities, business logic vulnerabilities, and more. Summary of Findings During the engagement, Bugcrowd discovered the following: 1 critical vulnerability 13 high vulnerabilities 22 moderate vulnerabilities 12 low severity vulnerabilities 1 informational finding Upon completion of the assessment, all findings were reported to Atlassian along with all associated vulnerability data. 12 of 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback