Connect Vulnerability Scanner

There are two types of vulnerabilities that this currently scans for:

1. (Reflected) XSS in the query parameters of module URLs
2. Possible secrets stored in app properties

Installation:

1. Install chromedriver and make sure that it is located in your $PATH
2. Create a virtual environment using python -m venv .venv
3. Enter the virtual environment using source .venv/bin/activate
4. Install the required packages using pip install -r requirements.txt

Usage:

python scan.py --username [USERNAME] --password [PASSWORD] --api-token [API_TOKEN] --url [INSTANCE_URL] --descriptor [DESCRIPTOR_URL] --out [OUTPUT_DIRECTORY]

CVS with all arguments:

python scan.py --username [USERNAME] --password [PASSWORD] --api-token [API_TOKEN] --url [INSTANCE_URL] --descriptor [DESCRIPTOR_URL] --out [OUTPUT_DIRECTORY] --type ["xss", "secret", "all"] --module [APP_MODULE_TO_TARGET]

Docker Usage

Ensure you have Docker setup for your respective operating system.

Run the following from the project root:

1. docker build -t cvs-scanner .
2. docker run -v $(pwd):/app cvs-scanner --username [USERNAME] --password [PASSWORD] --api-token [API_TOKEN] --url [INSTANCE_URL] --descriptor [DESCRIPTOR_URL] --out [OUTPUT_DIRECTORY]

Note: that if you want to scan a Confluence app installed in your instance, then the instance URL needs to end in '/wiki'. The scanner needs a valid Atlassian account and an instance where the app is installed in order to function. The API_TOKEN is only required for the secret scanner in order to enumerate through the app properties. The Atlassian account should be a member of the instance.

TODO:

• Migrate to Poetry

Contributions

Contributions to the Connect Vulnerability scanner are welcome! Please see CONTRIBUTING.md for more details.

License

Copyright (c) 2023 Atlassian and others.

The Connect Vulnerability scanner is licensed under the Apache 2.0 license.

See LICENSE for more details.