Open redirect in JIRA in HTTPS mode only

Type atlassian
Reporter austin.munsch
Modified 2017-02-20T02:56:01


If JIRA is configured for HTTPS connections (in both "redirect HTTP to HTTPS" and "HTTPS only" modes), then the following redirects are possible. This does not occur in HTTP configs.

The {{os_destination}} parameter on the {{login.jsp}} page (and other pages once logged in - see technical details below) allows you to redirect to any site if the URL is prefixed with two slashes.

Reproduction Browse to the following link (replacing {{}} with your own test server). * Log in, and see that your browser is redirected to

Example reque {code}HTTP/1.1 302 Found Server: Apache-Coyote/1.1 X-AREQUESTID: 903x5883x1 X-ASESSIONID: lw2agc Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Seraph-LoginReason: OK Location: Content-Type: text/html;charset=UTF-8 Content-Length: 0 Date: Tue, 22 Apr 2014 22:03:47 GMT{code}

I was only able to get redirects to work if the redirect URL begins with {{//}} (or {{%2F%2F}} when URL-encoded). Having special characters (such as the colon in {{http://}}) will redirect the user to the dashboard page, so it seems you can't redirect to the user to links with any other protocols.

If the user is already logged in, it doesn't seem to matter which page the {{os_destination}} parameter is on. Even if it's a page that doesn't exist, it will still redirect the user immediately. For example:

I tested this on versions 5.2.11, 6.2, and 6.2.2, but other versions are likely vulnerable as well.

Solution Confluence solves this problem by concatenating the site's URL with the contents of {{os_destination}}. So for our above example, it would redirect you to which is still an site.

Alternatively, you could have any {{os_destination}} that begins with {{//}} just redirect the user to the dashboard like what is done with special characters.