Session Not Invalidated after Manipulating Session Cookie

kpsheeha · February 21, 2019, 7:04pm

SonarQube 6.7.3

Change a known, active valid session cookie and submit request.

Expected Response: Request to Login as Session cookie is not valid

Actual Response: The request succeeds and returns the original session cookie (not the manipulated one) in the response.

Example:

Known good Session Cookie value is:
JWT-SESSION=
eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJBV2FDMlM4TlZRWm42WHAyTmNsQSIsInN1YiI6InNjYW4tYWRtaW4iLCJp
YXQiOjE1Mzk3OTM1NjMsImV4cCI6MTU0MDA1NDI4MiwibGFzdFJlZnJlc2hUaW1lIjoxNTM5NzkzNTYzNDA1LCJ4c3JmVG9rZ
W4iOiI3N3ZnYWc3azJ2ODRwZHIycTZyOXBscnZzMSJ9.tQ77Ico0bou1OXpOklHeIccH13cZLfQ70wS_d_BZ5Lk

Replace the last section of the cookie: tQ77Ico0bou1OXpOklHeIccH13cZLfQ70wS_d_BZ5Lk
with u8EXza1l5eyXnOT1XrkBvjoLkvtViZ7Me1uDcut3jeo

Request and Response:

GET /sonar/api/metrics/search?ps=9999 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/67.0.3396.79 Safari/537.36
Referer: http://**************/sonar/dashboard?id=Demo_App
Cookie: XSRF-TOKEN=plpa138pmfnj6al5hbr28p4dji; JWTSESSION=
eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJBV2FBaHRtdlZRWm42WHAyTmNrdiIsInN1YiI6InNjYW4tYWRtaW4iLCJp
YXQiOjE1Mzk3NTQ2MTMsImV4cCI6MTU0MDAxMzgxMywibGFzdFJlZnJlc2hUaW1lIjoxNTM5NzU0NjEzMTY3LCJ4c3JmVG9rZ
W4iOiJwbHBhMTM4cG1mbmo2YWw1aGJyMjhwNGRqaSJ9.u8EXza1l5eyXnOT1XrkBvjoLkvtViZ7Me1uDcut3jeo
Connection: keep-alive
Host: ****************
Accept: application/json
Accept-Language: en-US,en;q=0.9
X-XSRF-TOKEN: plpa138pmfnj6al5hbr28p4dji
HTTP/1.1 200
Transfer-Encoding: chunked
X-XSS-Protection: 1; mode=block
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Cache-Control: no-cache, no-store, must-revalidate
Set-Cookie: JWTSESSION=
eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJBV2FDMlM4TlZRWm42WHAyTmNsQSIsInN1YiI6InNjYW4tYWRtaW4iLCJp
YXQiOjE1Mzk3OTM1NjMsImV4cCI6MTU0MDA1NDI4MiwibGFzdFJlZnJlc2hUaW1lIjoxNTM5NzkzNTYzNDA1LCJ4c3JmVG9rZ
W4iOiI3N3ZnYWc3azJ2ODRwZHIycTZyOXBscnZzMSJ9.tQ77Ico0bou1OXpOklHeIccH13cZLfQ70wS_d_BZ5Lk; Max-
Age=259200; Expires=Sat, 20-Oct-2018 16:51:22 GMT; Path=/sonar; HttpOnly
Set-Cookie: XSRF-TOKEN=77vgag7k2v84pdr2q6r9plrvs1; Max-Age=259200; Expires=Sat, 20-Oct-2018
16:51:22 GMT; Path=/sonar
Date: Wed, 17 Oct 2018 16:51:21 GMT
Content-Type: application/json
{
“metrics”: [
{
“id”: “11”,

…

Note the above is reported by AppScan version 9.0.3.10

julienlancelot · February 25, 2019, 10:25am

Hi Kevin,

Thanks for sharing this message.

Could you please validate that the JWT token “corrupted” is invalid, by using the “Debugger” form in https://jwt.io ?

Regards,
Julien Lancelot

kpsheeha · February 25, 2019, 5:35pm

The session cookie was manipulated by changing the signature. http://jwt.io reports that this is an invalid signature. SonarQube replied with a 200 and a session cookie with a valid signature - verified at jwt.io

julienlancelot · February 26, 2019, 9:01am

Oh wait ! I was too much focus on JWT that I didn’t see the obvious part : the web service api/metrics/search does not require any permission, so even with an empty JWT token you’ll get a code 200.

You should try the same with api/projects/search which requires “System administrator” permission.

kpsheeha · February 28, 2019, 5:43pm

You are of course correct sir! Please close and thanks for your time.