This type of connection supports only Azure DevOps Services. There are two types of Azure DevOps connections in TeamCity:Īzure DevOps OAuth 2.0 allows signing in to TeamCity via an Azure DevOps Services account and creating TeamCity projects from Azure Git and TFVC repositories.Īzure DevOps PAT allows creating TeamCity projects from Azure Git and TFVC repositories. After configuring the proxy, remember to also set the new address as the Server URL in Global Settings of TeamCity. When configuring a callback URL for a connection, you need to specify all URLs by which the current server can be accessed. If your TeamCity server is installed behind a proxy, it is important to ensure that this is reflected in the connection settings, if applicable. If you add a connection in the Root project, it will become available on the whole server. When created, a connection can be used in all the nested subprojects of the current project. Select the connection type, set its Display name to distinguish it from the others, and configure it as described below. To add a connection, go the target project's settings, open the Connections page, and click Add Connection.
#Teamcity slack how to
This article gives instructions on how to add each type of connection. You can reuse these presets in various places on the server: when creating projects, configuring notifications, integrating with issue trackers, and more. ReactUI.renderConnected('open_in_experimental_ui', ReactUI.TeamCity allows storing presets of connections to external services. This means my “xINJECTx” was inside script tags when the page was rendered. I tried injecting payloads I could easily search for in the DOM, like “xINJECTx”, into each query string parameter.įor the “tab” parameter, I found that my payload was reflected in the page inside a JavaScript context. Let us try and get a working URL, and see if any injections are reflected. I tried the POC, it didn’t work, and it returned a 404. '">cb_Root&fromExperimentalUI='">true&tab='">stats The following proof of concept was generated for this issue: The following value was injected into the source: The analysis BurpSuite produced was the following:ĭata is read from location.href and passed to jQuery.html. This is generally a false positive, but we had a look anyway. While manually crawling the site, with Burp open in the background, Burp popped a DOM-based XSS issue. We started looking around the client’s TeamCity instance to see how we could increase the impact of the issue.
This was already a success, but we wanted to show more impact on XSS. The CI server suffered from a security misconfiguration, and we were able to gain access.
On a recent client engagement, we were challenged to gain access to their private CI server. How we came about the TeamCity XSS: CVE-2019-15848
0 kommentar(er)
