Intigriti - Hack Hub
  • Misconfig Mapper Docs
    • Introduction
    • Supported Services
    • CLI Tool
    • Contributing
  • Services
    • GraphQL
      • GraphQL Introspection Query Enabled
    • Symfony PHP
      • Symfony Profiler Enabled
    • Postman API Platform
      • Public Workspaces
    • Salesforce
      • Salesforce Lightning Aura Components Enabled
    • Trello
      • View Permissions on Trello Boards
    • Figma
      • View access misconfiguration
    • Freshworks Freshservice
      • Open User Registration
    • Slack
      • No Admin Approval for Invitations
    • Atlassian Bitbucket
      • Publicly Accessible Private Repositories
    • Atlassian Confluence
      • Anonymous access to Remote API
      • Disabled XSRF Protection
      • User Email Visibility
      • Misconfigured Spaces
    • Atlassian Jira
      • Open User Registration
      • Atlassian Jira Email Visibility
      • Atlassian Jira Service Desk Open Signups
    • AWS S3
      • Misconfigured List Permissions
    • Cloudflare R2
      • R2.DEV Enabled
    • Google Groups
      • Misconfigured read permissions
    • Google Docs
      • Misconfigured read permissions
    • Google Cloud Storage Bucket
      • Misconfigured access controls
    • Google OAuth
      • Unrestricted email domains
    • Jenkins
      • Open Signups
      • Public Groovy Script Console
    • GitLab
      • Gitlab Private Source Code Snippets Exposed
    • Drupal
      • Drupal Nodes with Misconfigured Access Controls
    • Laravel
      • Debug Mode Enabled
      • Laravel Telescope Enabled In Production
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Services
  2. Atlassian Confluence

Disabled XSRF Protection

PreviousAnonymous access to Remote APINextUser Email Visibility

Last updated 12 months ago

Was this helpful?

Description:

Atlassian Confluence provides users the ability to include themes and external plugins. Some older themes or plugins may require users to disable XSRF Protection as pointed out below:

Some third-party or deprecated Confluence themes will not work with the new Confluence XSRF protection. You may disable XSRF protection to support old themes at the cost of reducing security. - Atlassian Confluence Docs

However, turning off the built-in XSRF Protection in your Confluence instance can open up new attack vectors for bad actors to abuse!

Testing:

In case XSRF Protection is turned off, bad actors could post comments on other user's behalf by just sending them a link to an attacker controlled site that replicates the POST request. The POST request will request the server to create a comment on the victim's behalf without their knowledge.

Remediation:

It is always recommended to upgrade and use the latest version available of Atlassian Confluence.

  1. Navigate to your Confluence instance and sign in

  2. Open your Administrator Settings by clicking on the gear icon next to your profile picture

  3. In your side navigation bar, scroll down to Security and open Security Configurations

  4. Make sure that XSRF Protection for adding comments is enabled

  5. Save your changes

Potential Impact:

When XSRF-protection is turned off, it is possible for malicious users to target authenticated users by sending them a specially crafted link that'd automatically for example post a comment on the victim's behalf.

References:

https://confluence.atlassian.com/doc/configuring-xsrf-protection-218276695.html