Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

XSRF documentation for Jira Software

Thomas Douglas
Thomas Douglas
Contributor
January 16, 2019

Hello, I am working with our security team on a vulnerability report for my Jira Software local instance. The tool, IBM App Scan, reports many cross-site request forgery vulnerabilities. However, it is likely that the majority, if not all, are false positives. Given that I don't want to go through each one individually to prove that they are false positives to our security (normal procedure here), I was wondering if there was a document or website link that I could point them to about Jira's built in XSRF protection?

I am using Jira Software 7.10.0.

Thanks!

Byron Douglas

Answer
Watch
Like Be the first to like this
1537 views

1 answer

0 votes
Gonchik Tsymzhitov
Gonchik Tsymzhitov
Community Champion
January 16, 2019

Hi! 

https://confluence.atlassian.com/doc/configuring-xsrf-protection-218276695.html

 

Cheers,

Gonchik Tsymzhitov

View More Comments
Thomas Douglas
Thomas Douglas
Contributor
January 22, 2019

Hi Gonchik, this link is more about turning CSRF off in Confluence. I need help specifically with Jira Software and CSRF attacks. Below is an example of a report (1 of 77) that the App Scan is reporting:

Severity: Medium

URL: https://d311271.cdc.gov:8443/secure/UpdateMyJiraHome.jspa

Entity: UpdateMyJiraHome.jspa

Risk: It may be possible to steal or manipulate customer session and cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform
transactions as that user

Causes: Insufficient authentication method was used by the application
Fix: Validate the value of the "Referer" header, and use a one-time-nonce for each submitted form

Difference: Header manipulated from:
https://d311271.cdc.gov:8443/secure/ContactAdministrators!default.jspa to:
http://bogus.referer.ibm.com

Reasoning: The test result seems to indicate a vulnerability because the Test Response is identical to
the Original Response, indicating that the Cross-Site Request Forgery attempt was
successful, even though it included a fictive 'Referer' header.

 Thanks for any help.

Like
Gonchik Tsymzhitov
Gonchik Tsymzhitov
Community Champion
January 22, 2019

Just interesting is it helpful if you use this app ?

https://marketplace.atlassian.com/apps/1213129/prevent-anonymous-access?hosting=server&tab=overview 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security