- (Reflected) XSS in the query parameters of module URLs
- Possible secrets stored in app properties
- Install chromedriver and make sure that it is located in your
$PATH - Create a virtual environment using
python -m venv .venv - Enter the virtual environment using
source .venv/bin/activate - Install the required packages using
pip install -r requirements.txt
python scan.py --username [USERNAME] --password [PASSWORD] --api-token [API_TOKEN] --url [INSTANCE_URL] --descriptor [DESCRIPTOR_URL] --out [OUTPUT_DIRECTORY]
CVS with all arguments:
python scan.py --username [USERNAME] --password [PASSWORD] --api-token [API_TOKEN] --url [INSTANCE_URL] --descriptor [DESCRIPTOR_URL] --out [OUTPUT_DIRECTORY] --type ["xss", "secret", "all"] --module [APP_MODULE_TO_TARGET]
Ensure you have Docker setup for your respective operating system.
Run the following from the project root:
docker build -t cvs-scanner .docker run -v $(pwd):/app cvs-scanner --username [USERNAME] --password [PASSWORD] --api-token [API_TOKEN] --url [INSTANCE_URL] --descriptor [DESCRIPTOR_URL] --out [OUTPUT_DIRECTORY]
Note: that if you want to scan a Confluence app installed in your instance, then the instance URL needs to end in '/wiki'. The scanner needs a valid Atlassian account and an instance where the app is installed in order to function. The API_TOKEN is only required for the secret scanner in order to enumerate through the app properties. The Atlassian account should be a member of the instance.
- Migrate to Poetry
Contributions to the Connect Vulnerability scanner are welcome! Please see CONTRIBUTING.md for more details.
Copyright (c) 2023 Atlassian and others.
The Connect Vulnerability scanner is licensed under the Apache 2.0 license.
See LICENSE for more details.
