Session Not Invalidated after Manipulating Session Cookie

(Kevin Sheehan) #1

SonarQube 6.7.3

Change a known, active valid session cookie and submit request.

Expected Response: Request to Login as Session cookie is not valid

Actual Response: The request succeeds and returns the original session cookie (not the manipulated one) in the response.


Known good Session Cookie value is:

Replace the last section of the cookie: tQ77Ico0bou1OXpOklHeIccH13cZLfQ70wS_d_BZ5Lk
with u8EXza1l5eyXnOT1XrkBvjoLkvtViZ7Me1uDcut3jeo

Request and Response:

GET /sonar/api/metrics/search?ps=9999 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/67.0.3396.79 Safari/537.36
Referer: http://**************/sonar/dashboard?id=Demo_App
Cookie: XSRF-TOKEN=plpa138pmfnj6al5hbr28p4dji; JWTSESSION=
Connection: keep-alive
Host: ****************
Accept: application/json
Accept-Language: en-US,en;q=0.9
X-XSRF-TOKEN: plpa138pmfnj6al5hbr28p4dji
HTTP/1.1 200
Transfer-Encoding: chunked
X-XSS-Protection: 1; mode=block
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Cache-Control: no-cache, no-store, must-revalidate
W4iOiI3N3ZnYWc3azJ2ODRwZHIycTZyOXBscnZzMSJ9.tQ77Ico0bou1OXpOklHeIccH13cZLfQ70wS_d_BZ5Lk; Max-
Age=259200; Expires=Sat, 20-Oct-2018 16:51:22 GMT; Path=/sonar; HttpOnly
Set-Cookie: XSRF-TOKEN=77vgag7k2v84pdr2q6r9plrvs1; Max-Age=259200; Expires=Sat, 20-Oct-2018
16:51:22 GMT; Path=/sonar
Date: Wed, 17 Oct 2018 16:51:21 GMT
Content-Type: application/json
“metrics”: [
“id”: “11”,

Note the above is reported by AppScan version

(Julien Lancelot) #3

Hi Kevin,

Thanks for sharing this message.

Could you please validate that the JWT token “corrupted” is invalid, by using the “Debugger” form in ?

Julien Lancelot

(Kevin Sheehan) #4

The session cookie was manipulated by changing the signature. reports that this is an invalid signature. SonarQube replied with a 200 and a session cookie with a valid signature - verified at

(Julien Lancelot) #5

Oh wait ! I was too much focus on JWT that I didn’t see the obvious part : the web service api/metrics/search does not require any permission, so even with an empty JWT token you’ll get a code 200.

You should try the same with api/projects/search which requires “System administrator” permission.

(Kevin Sheehan) #6

You are of course correct sir! Please close and thanks for your time.