@chhantyal We don’t have a full list published at this stage, but we’re evaluating putting together come content on this topic at the moment.
To help, the top 3 vulnerabilities we see in the bug bounty program today are:
XSS (Cross-site scripting)
This is by far the most common vulnerability. To mitigate, make sure that you’re correctly escaping output across your apps. Also set CSP headers to mitigate XSS vulnerabilities that may be present.
More details @ What is cross-site scripting (XSS) and how to prevent it? | Web Security Academy.
IDOR (Insecure Direct Object Reference)
Ensure that you’re correctly checking permissions for any CRUD operations in your apps, both to your own data stores and to gate calls to Atlassian APIs. Make sure that the user attempting to access a resource actually has the correct privileges to do so.
Be especially careful when you’re making server-to-server REST API calls authenticated by JWT in Atlassian Connect, or using
.asApp() in Forge, as your app’s “bot user” will usually have more privileges than the user that you’re calling on behalf of, and failing to do so means an attacker can escalate their privileges. When performing an action on behalf of a user, prefer using authentication mechanisms that impersonate users when making REST API calls —
.asUser() in Forge or
ACT_AS_USER authenticated requests in Connect.
More details @ Insecure direct object references (IDOR) | Web Security Academy
BASM (Broken Authentication/Session Management)
For Connect apps, make sure that you are verifying all requests from Atlassian correctly by checking the JWT signatures on end-points that serve webhooks and iframes. If your apps have user experiences that users access via browsers outside of the context of an iframe, ensure you have appropriate authn & session controls implemented.
Authentication is largely automatic in Forge, but if you’re using Web Triggers to expose end-points, ensure that you have appropriate authentication mechanisms applied to them. Similarly if you are egressing data from Forge, make sure the service you are targeting has appropriate authentication controls set up.
Hope this helps! If you have any specific concerns or questions happy to follow-up As I mentioned we’re looking to create some more security enablement content for the developer community in the near future, so if there’s any topics you’re looking for guidance on I’d be very keen to hear them.