Bishop Fox Operator Jon Williams will be virtually presenting "What You Can't See CAN Hurt You: SonarQube Privilege Escalation via Hidden API Calls" at the 7th annual BSides Connecticut conference. BSides is a community-driven framework used to build events for and by information security community members, events where individuals have opportunities to both present and participate in an intimate atmosphere that encourages collaboration.
SonarQube is a source code static analyzer that is commonly used by developers and frequently left exposed. After gaining access to the application through a vulnerability or default credentials, you may not see any options for pivoting into the host environment. A thorough review of the API, however, reveals hidden commands that can be abused for arbitrary code execution and backdoor access. Learn how to exploit this attack chain and add another trick to your arsenal!