SonarQube Credential Disclosure Scanner

SonarQube is a popular open-source platform used by software development teams to continuously inspect and analyze code quality and security vulnerabilities. It integrates with various development environments and supports a wide range of programming languages. Organizations use SonarQube for ensuring compliance with coding standards and maintaining clean code practices. The platform can be deployed both on-premises and in the cloud, making it accessible for teams of all sizes. Its authentication features allow users to generate and use tokens for secure access. These tokens, if exposed, can be misused for unauthorized activities.

The vulnerability targeted by this scanner involves the unintended exposure of SonarQube cloud authentication tokens. These tokens, if publicly accessible, can allow malicious actors to validate and gain access to SonarQube services without user credentials. The tokens are often 40-character hexadecimal strings that can be found in web page responses if not properly secured. Once an attacker discovers a token, they can interact with the authentication API to confirm its validity. The severity of this issue is classified as high due to the risk of unauthorized access and potential data leakage. The issue arises from misconfigured or exposed endpoints that fail to properly protect sensitive credentials.

This scanner detects whether a token is exposed in the HTTP response body of the SonarQube service's main page. If a potential token is found, the scanner proceeds to validate it using the official SonarCloud API. It sends a request to the `/api/authentication/validate` endpoint using the exposed token in the Authorization header. A valid token results in a 200 OK status along with JSON content indicating the token’s validity. This two-step process confirms both the exposure and the authenticity of the token. The scanner utilizes pattern matching and DSL conditions to ensure accurate detection.

If this vulnerability is successfully exploited, unauthorized users can gain access to internal code analysis dashboards, project configurations, and potentially sensitive source code data. Attackers may manipulate project settings, disable rules, or inject malicious code into build pipelines. The breach of authentication mechanisms compromises the integrity and confidentiality of development environments. Organizations may face data leakage, loss of intellectual property, or even downstream security issues in released products. This could also lead to regulatory non-compliance and reputational damage.