SonarQube 6.7.3
Change a known, active valid session cookie and submit request.
Expected Response: Request to Login as Session cookie is not valid
Actual Response: The request succeeds and returns the original session cookie (not the manipulated one) in the response.
Example:
Known good Session Cookie value is:
JWT-SESSION=
eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJBV2FDMlM4TlZRWm42WHAyTmNsQSIsInN1YiI6InNjYW4tYWRtaW4iLCJp
YXQiOjE1Mzk3OTM1NjMsImV4cCI6MTU0MDA1NDI4MiwibGFzdFJlZnJlc2hUaW1lIjoxNTM5NzkzNTYzNDA1LCJ4c3JmVG9rZ
W4iOiI3N3ZnYWc3azJ2ODRwZHIycTZyOXBscnZzMSJ9.tQ77Ico0bou1OXpOklHeIccH13cZLfQ70wS_d_BZ5Lk
Replace the last section of the cookie: tQ77Ico0bou1OXpOklHeIccH13cZLfQ70wS_d_BZ5Lk
with u8EXza1l5eyXnOT1XrkBvjoLkvtViZ7Me1uDcut3jeo
Request and Response:
GET /sonar/api/metrics/search?ps=9999 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/67.0.3396.79 Safari/537.36
Referer: http://**************/sonar/dashboard?id=Demo_App
Cookie: XSRF-TOKEN=plpa138pmfnj6al5hbr28p4dji; JWTSESSION=
eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJBV2FBaHRtdlZRWm42WHAyTmNrdiIsInN1YiI6InNjYW4tYWRtaW4iLCJp
YXQiOjE1Mzk3NTQ2MTMsImV4cCI6MTU0MDAxMzgxMywibGFzdFJlZnJlc2hUaW1lIjoxNTM5NzU0NjEzMTY3LCJ4c3JmVG9rZ
W4iOiJwbHBhMTM4cG1mbmo2YWw1aGJyMjhwNGRqaSJ9.u8EXza1l5eyXnOT1XrkBvjoLkvtViZ7Me1uDcut3jeo
Connection: keep-alive
Host: ****************
Accept: application/json
Accept-Language: en-US,en;q=0.9
X-XSRF-TOKEN: plpa138pmfnj6al5hbr28p4dji
HTTP/1.1 200
Transfer-Encoding: chunked
X-XSS-Protection: 1; mode=block
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Cache-Control: no-cache, no-store, must-revalidate
Set-Cookie: JWTSESSION=
eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJBV2FDMlM4TlZRWm42WHAyTmNsQSIsInN1YiI6InNjYW4tYWRtaW4iLCJp
YXQiOjE1Mzk3OTM1NjMsImV4cCI6MTU0MDA1NDI4MiwibGFzdFJlZnJlc2hUaW1lIjoxNTM5NzkzNTYzNDA1LCJ4c3JmVG9rZ
W4iOiI3N3ZnYWc3azJ2ODRwZHIycTZyOXBscnZzMSJ9.tQ77Ico0bou1OXpOklHeIccH13cZLfQ70wS_d_BZ5Lk; Max-
Age=259200; Expires=Sat, 20-Oct-2018 16:51:22 GMT; Path=/sonar; HttpOnly
Set-Cookie: XSRF-TOKEN=77vgag7k2v84pdr2q6r9plrvs1; Max-Age=259200; Expires=Sat, 20-Oct-2018
16:51:22 GMT; Path=/sonar
Date: Wed, 17 Oct 2018 16:51:21 GMT
Content-Type: application/json
{
“metrics”: [
{
“id”: “11”,
…
Note the above is reported by AppScan version 9.0.3.10