Skip to content

A DAST tool to check your Atlassian Connect app against Atlassian's security requirements.

License

Notifications You must be signed in to change notification settings

atlassian-labs/Connect-Vulnerability-Scanner

Repository files navigation

Connect Vulnerability Scanner

Apache license PRs Welcome There are two types of vulnerabilities that this currently scans for:

  1. (Reflected) XSS in the query parameters of module URLs
  2. Possible secrets stored in app properties

Installation:

  1. Install chromedriver and make sure that it is located in your $PATH
  2. Create a virtual environment using python -m venv .venv
  3. Enter the virtual environment using source .venv/bin/activate
  4. Install the required packages using pip install -r requirements.txt

Usage:

python scan.py --username [USERNAME] --password [PASSWORD] --api-token [API_TOKEN] --url [INSTANCE_URL] --descriptor [DESCRIPTOR_URL] --out [OUTPUT_DIRECTORY]

CVS with all arguments:

python scan.py --username [USERNAME] --password [PASSWORD] --api-token [API_TOKEN] --url [INSTANCE_URL] --descriptor [DESCRIPTOR_URL] --out [OUTPUT_DIRECTORY] --type ["xss", "secret", "all"] --module [APP_MODULE_TO_TARGET]

Docker Usage

Ensure you have Docker setup for your respective operating system.

Run the following from the project root:

  1. docker build -t cvs-scanner .
  2. docker run -v $(pwd):/app cvs-scanner --username [USERNAME] --password [PASSWORD] --api-token [API_TOKEN] --url [INSTANCE_URL] --descriptor [DESCRIPTOR_URL] --out [OUTPUT_DIRECTORY]

Note: that if you want to scan a Confluence app installed in your instance, then the instance URL needs to end in '/wiki'. The scanner needs a valid Atlassian account and an instance where the app is installed in order to function. The API_TOKEN is only required for the secret scanner in order to enumerate through the app properties. The Atlassian account should be a member of the instance.

TODO:

  • Migrate to Poetry

Contributions

Contributions to the Connect Vulnerability scanner are welcome! Please see CONTRIBUTING.md for more details.

License

Copyright (c) 2023 Atlassian and others.

The Connect Vulnerability scanner is licensed under the Apache 2.0 license.

See LICENSE for more details.

With �� from Atlassian

About

A DAST tool to check your Atlassian Connect app against Atlassian's security requirements.

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published