漏洞信息
漏洞名称: Bitbucket OAuth Credentials Exposure
漏洞类型: 信息泄露
漏洞等级: 高危
漏洞描述: Bitbucket OAuth凭证泄露漏洞涉及Bitbucket平台,该平台是一个广泛使用的源代码托管和协作平台,支持团队进行代码版本控制和项目管理。此漏洞的根源在于配置不当,导致包含Bitbucket OAuth凭证的auth.json文件被暴露在可公开访问的目录中。攻击者可以通过简单的HTTP GET请求访问这些文件,从而获取敏感的OAuth凭证,如consumer-key和consumer-secret。这些凭证一旦被泄露,攻击者可以利用它们进行未授权的API调用,访问私有仓库,甚至执行更广泛的账户接管操作。由于此漏洞不需要任何形式的认证即可利用,且可以通过自动化工具大规模扫描和利用,因此对使用Bitbucket的企业和个人开发者构成了严重的安全威胁。
产品厂商: Bitbucket
产品名称: Bitbucket
来源: https://github.com/projectdiscovery/nuclei-templates/blob/78a258ba78fd91d980b8679156f97833ce5042e2/http%2Fexposures%2Ffiles%2Fbitbucket-oauth-exposure.yaml
类型: projectdiscovery/nuclei-templates:github issues
POC详情
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
id: bitbucket-oauth-exposure
info:
name: Bitbucket OAuth Credentials Exposure
author: TheZakMan
severity: high
description: Detects exposed auth.json files containing Bitbucket OAuth credentials
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200
tags: exposure,bitbucket,oauth,credentials,misconfig
http:
- method: GET
path:
- "{{BaseURL}}/auth.json"
- "{{BaseURL}}/.auth.json"
- "{{BaseURL}}/config/auth.json"
- "{{BaseURL}}/configs/auth.json"
- "{{BaseURL}}/configuration/auth.json"
- "{{BaseURL}}/api/auth.json"
- "{{BaseURL}}/app/auth.json"
- "{{BaseURL}}/assets/auth.json"
- "{{BaseURL}}/data/auth.json"
- "{{BaseURL}}/files/auth.json"
- "{{BaseURL}}/public/auth.json"
- "{{BaseURL}}/static/auth.json"
- "{{BaseURL}}/uploads/auth.json"
- "{{BaseURL}}/backup/auth.json"
- "{{BaseURL}}/backups/auth.json"
- "{{BaseURL}}/tmp/auth.json"
- "{{BaseURL}}/temp/auth.json"
- "{{BaseURL}}/cache/auth.json"
- "{{BaseURL}}/logs/auth.json"
- "{{BaseURL}}/admin/auth.json"
- "{{BaseURL}}/administrator/auth.json"
- "{{BaseURL}}/src/auth.json"
- "{{BaseURL}}/source/auth.json"
- "{{BaseURL}}/www/auth.json"
- "{{BaseURL}}/web/auth.json"
- "{{BaseURL}}/site/auth.json"
- "{{BaseURL}}/sites/auth.json"
- "{{BaseURL}}/private/auth.json"
- "{{BaseURL}}/secure/auth.json"
- "{{BaseURL}}/secret/auth.json"
- "{{BaseURL}}/secrets/auth.json"
- "{{BaseURL}}/env/auth.json"
- "{{BaseURL}}/environment/auth.json"
- "{{BaseURL}}/test/auth.json"
- "{{BaseURL}}/tests/auth.json"
- "{{BaseURL}}/dev/auth.json"
- "{{BaseURL}}/development/auth.json"
- "{{BaseURL}}/staging/auth.json"
- "{{BaseURL}}/prod/auth.json"
- "{{BaseURL}}/production/auth.json"
- "{{BaseURL}}/includes/auth.json"
- "{{BaseURL}}/include/auth.json"
- "{{BaseURL}}/lib/auth.json"
- "{{BaseURL}}/libs/auth.json"
- "{{BaseURL}}/library/auth.json"
- "{{BaseURL}}/vendor/auth.json"
- "{{BaseURL}}/vendors/auth.json"
- "{{BaseURL}}/node_modules/auth.json"
- "{{BaseURL}}/storage/auth.json"
- "{{BaseURL}}/database/auth.json"
- "{{BaseURL}}/db/auth.json"
- "{{BaseURL}}/auth/auth.json"
- "{{BaseURL}}/authentication/auth.json"
- "{{BaseURL}}/oauth/auth.json"
- "{{BaseURL}}/keys/auth.json"
- "{{BaseURL}}/credentials/auth.json"
- "{{BaseURL}}/creds/auth.json"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "bitbucket-oauth"
- "bitbucket"
condition: or
case-insensitive: true
- type: word
words:
- "consumer-secret"
- "consumer-key"
- "consumer_secret"
- "consumer_key"
condition: or
case-insensitive: true
extractors:
- type: regex
name: bitbucket_credentials
regex:
- '"consumer-key":\s*"([^"]+)"'
- '"consumer-secret":\s*"([^"]+)"'
- '"consumer_key":\s*"([^"]+)"'
- '"consumer_secret":\s*"([^"]+)"'
group: 1
- type: regex
name: bitbucket_oauth_block
regex:
- '"bitbucket-oauth":\s*\{[^}]+\}'
- '"bitbucket":\s*\{[^}]+\}'
|