diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..e098be98 --- /dev/null +++ b/.gitignore @@ -0,0 +1,57 @@ + +# Created by https://www.gitignore.io/api/vim,java,maven,eclipse,code-java + +.vagrant + +### IntelliJ IDEA ### +.idea +*.iws +*.iml +*.ipr + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/build/ + +### VS Code ### +.vscode/ + +### Eclipse ### +.classpath +.factorypath +.project +.settings +.metadata +.springBeans +.sts4-cache +bin/ +tmp/ +*.tmp +*.bak +*.swp +*.launch + +### Java ### +*.class +*.log +*.jar +*.war +*.ear +*.zip +*.tar.gz +*.rar + +### Maven ### +target/ + +### Vim ### +[._]*.s[a-v][a-z] +[._]*.sw[a-p] +[._]s[a-v][a-z] +[._]sw[a-p] +Session.vim + +# End of https://www.gitignore.io/api/vim,java,maven,eclipse,code-java diff --git a/Dockerfile b/Dockerfile index cb80dcf7..0febee32 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,14 @@ FROM tomcat -COPY . . +COPY . /code +WORKDIR /code -RUN apt-get update ; apt-get install maven default-jdk -y ; update-alternatives --config javac +RUN apt-get update \ + && apt-get install -y \ + maven \ + openjdk-8-jdk -RUN mvn clean package ; cp target/*.war /usr/local/tomcat/webapps/ +RUN mvn clean package +RUN cp target/JavaVulnerableLab.war /usr/local/tomcat/webapps/ -CMD ["catalina.sh","run"] +CMD ["catalina.sh", "run"] diff --git a/README.md b/README.md index 7ed511d0..fa23e97b 100644 --- a/README.md +++ b/README.md @@ -1,75 +1,75 @@ -This is a "Vulnerable" Web Application developed by Cyber Security and Privacy Foundation(www.cysecurity.org). This app is intended for the Java Programmers and other people who wish to learn about Web application vulnerabilities and write secure code. +# Java Vulnerabilities Lab -**The full course content is now available on Github for free:** +This is a **vulnerable** Web Application developed by [Cyber Security and Privacy Foundation](www.cysecurity.org). +This app is intended for the Java Developers and other people who wish to learn about Web Application vulnerabilities or simply write secure code because they are concerned about security - and **`everyone should!`**. -https://github.com/CSPF-Founder/JavaSecurityCourse +## Prerequisites: +- [Git](https://git-scm.com/downloads) +- with [Docker](https://docs.docker.com/install/), [docker-compose](https://docs.docker.com/compose/install/) and [Vagrant](https://www.vagrantup.com/docs/installation/) +- or [JDK8+](https://openjdk.java.net/install/), [Maven](http://maven.apache.org/install.html) and [tomcat 8](https://tomcat.apache.org/tomcat-8.5-doc/setup.html) -**The full course on Hacking and Securing Web Java Programs is available in** +## Deploy it -https://www.udemy.com/hacking-securing-java-web-programming/ +There are many easy way to deploy this application. -**Warning**: Don't run this app in Your Main Machine or in an online server. Install it in Vitual Machine. +1. Using Vagrant to run this application in a VM (containers are launched inside it, as describe in option #2) : - -How to Use/Setup ? -------------- +```sh +git clone https://github.com/softwaresecured/JavaVulnerableLab.git +cd JavaVulnerableLab +vagrant up +``` -**Method 1.Super Very Easiest Method: Docker** - The easiest way to use Java Vulnerable is using Docker which set up everything for you with 1 command line +2. Using Docker to run on a machine : - Steps: +```sh +git clone https://github.com/softwaresecured/JavaVulnerableLab.git +cd JavaVulnerableLab +docker-compose up -d javavulnlab mysql +``` - 1. Install Docker: https://docs.docker.com/engine/installation/ - 2. Install docker-compose: https://docs.docker.com/compose/install/ - 3. Inside this directory, run `sudo docker-compose up` and wait untill everything is configured for you. - 4. In your Browser, go to "http://localhost:8080/JavaVulnerableLab/install.jsp - 5. Change the JDBC URL from jdbc:mysql://localhost:3306 to jdbc:mysql://mysql:3306 - 6. Click the Install Button - 7. Enjoy :) +3. If not using Docker at all, you'll need to the JDBC URL in `config.properties` and `install.jsp` from : +``` +dburl=jdbc:mysql://mysql:3306/ => jdbc:mysql://localhost:3306 +``` -**Method 2.Very Easiest Method : VirtualBox VM** - The second most easiest way to use Java Vulnerable is using the VirtualBox VM which has everything set up and ready to use. - - Steps: - - 1. Install the VirtualBox : https://www.virtualbox.org/wiki/Downloads - 2. Download the VM Image from here : http://sourceforge.net/projects/javavulnerablelab/files/v0.1/JavaVulnerableLab.ova/download - 3. Import the JavaVulnerable.ova into VirtualBox. - 4. Change the Network Settings to Host-Only Network - 5. Start the Machine and Log into the Machine( Credentials; username: root password: cspf) - 6. Start Tomcat by entering "service tomcat start" in the Terminal - 7. Start mysql by entering "service mysql start" in the Terminal - 8. Find the IP Address of Machine - 9. In your Browser, go to "http://[IP_ADDRESS_OF_VM]:8080/JavaVulnerableLab/install.jsp - 10. Click the Install Button - 11. Enjoy :) - -**Method 3.Easiest Method : Standalone Web Application** - In this mehtod, you will be running an executable "JAR" file which runs the application with an embedded Apache Tomcat. - - Steps: - - 1. Install JDK - 2. Download Executable Jar from here: http://sourceforge.net/projects/javavulnerablelab/files/v0.2/JavaVulnerableLab.jar/download - 3. Double Click the JavaVulnerable.jar to run( if double click is not working, run this command "java -jar JavaVulnerable.jar" in your Terminal or CMD) - 4. In your Browser, go to "http://localhost:8080/JavaVulnerableLab/install.jsp - 5. Click the Install Button - -**Method 4. Using War file:** - This is a NORMAL method to deploy the WAR file. +4. If you want to play with it on a VPS, you'll need to the JDBC URL in `config.properties` and `install.jsp` from : + +``` +dburl=jdbc:mysql://mysql:3306/ => jdbc:mysql://SERVER_HOSTNAME_OR_IP_ADDRESS:3306 +``` + +And the link at next step will require the server hostname or IP address. + +5. You already have a tomcat, and want to deploy the application with a war. Steps: - 1. Install Apache Tomcat server - 2. Go to http://[Tomcat_INSTALLED_IP]:8080/manager/ (make sure you have modified tomcat-users.xml file of the tomcat to allow the manager). - 3. Download our WAR file from here: https://sourceforge.net/projects/javavulnerablelab/files/latest/JavaVulnerableLab.war/download - 4. Deploy the WAR in Apache Tomcat manager. - 5. Go to http://[Tomcat_INSTALLED_IP]:8080/JavaVulnerableLab/install.jsp - 6. Click the Install Button - - -Get the VulnerableSpring Project from here: -https://github.com/CSPF-Founder/VulnerableSpring + 1. Go to http://[Tomcat_INSTALLED_IP]:8080/manager/ (make sure you have modified tomcat-users.xml file of the tomcat to allow the manager). + 2. Download our WAR file from here: https://sourceforge.net/projects/javavulnerablelab/files/latest/JavaVulnerableLab.war/download + 3. Deploy the WAR in Apache Tomcat manager. + +## Experiment it + +1. Once the build is completed and the application is started, go to [/JavaVulnerableLab/install.jsp](http://localhost:8080/JavaVulnerableLab/install.jsp) + +2. And click on `Install` button, by leaving default values as-is. + +## Vulnerabilities Scan + +The Open Web Application Security Project (OWASP) team recommends many [tools](https://www.owasp.org/index.php/Appendix_A:_Testing_Tools) to address security matters, allowing to scan the vulnerabilities of Web Applications. +One of the most popular is OWASP `Zed Attack Proxy` (**ZAP**). Please refer to this [guideline](docs/owasp-zap.md) for more details. +Also, if you need to automate everything in your Continuous Integration and Continuous Delivery (**CI/CD**) toolchain, you can go through this [guideline](docs/sonarqube.md). + +## Notes + +**The full course on Hacking and Securing Web Java Programs is available in** + +https://www.udemy.com/hacking-securing-java-web-programming/ + +**Warning**: It's not recommended to run this app in `Your Main Machine` or in an `online server`. Prefer using Docker or a VM (vagrant). + +You can also get the VulnerableSpring Project from [here](https://github.com/CSPF-Founder/VulnerableSpring). diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 00000000..c40cb591 --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,44 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +VAGRANTFILE_API_VERSION = "2" + +Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| + + config.ssh.insert_key = false + config.vm.box = 'centos/7' + + config.vm.provider :virtualbox do |v| + v.name = 'JavaVulns' + v.memory = 2048 + v.cpus = 2 + end + + config.vm.synced_folder ".", "/vagrant" + config.vm.network "private_network", ip: "192.168.10.10" + config.vm.network "forwarded_port", guest: 8080, host: 8000 + + config.vm.provision "init", privileged: true, type: "shell", inline: <<-SHELL + # sudo yum update -y + sudo yum -y install docker + sudo systemctl enable docker + sudo systemctl start docker + sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose + sudo chmod +x /usr/local/bin/docker-compose + SHELL + + config.vm.provision "run", type: "shell", inline: <<-SHELL + cd /vagrant + /usr/local/bin/docker-compose down + /usr/local/bin/docker-compose build + /usr/local/bin/docker-compose up -d javavulnlab mysql + SHELL + + config.vm.provision "sonar", type: "shell", inline: <<-SHELL + cd /vagrant + /usr/local/bin/docker-compose up -d sonarqube + sleep 10 + /bin/docker exec vagrant_javavulnlab_1 mvn sonar:sonar -Dsonar.host.url=http://192.168.10.10:9000 + SHELL + + end diff --git a/docker-compose.yml b/docker-compose.yml index 672bcaca..dd40e85a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,10 +2,18 @@ javavulnlab: build: . ports: - 8080:8080 - links: + links: - mysql mysql: - image: mysql + image: mysql:5.7 + ports: + - 3306:3306 environment: - MYSQL_ROOT_PASSWORD=root + +sonarqube: + build: ./sonarqube + ports: + - 9000:9000 + - 9092:9092 diff --git a/docs/assets/Java-SonarQube-OWASP-Vulnerabilities.png b/docs/assets/Java-SonarQube-OWASP-Vulnerabilities.png new file mode 100644 index 00000000..9101f220 Binary files /dev/null and b/docs/assets/Java-SonarQube-OWASP-Vulnerabilities.png differ diff --git a/docs/assets/owasp-zap-2.8.0-screenshot.png b/docs/assets/owasp-zap-2.8.0-screenshot.png new file mode 100644 index 00000000..736cbde9 Binary files /dev/null and b/docs/assets/owasp-zap-2.8.0-screenshot.png differ diff --git a/docs/owasp-zap.md b/docs/owasp-zap.md new file mode 100644 index 00000000..d0fcc04b --- /dev/null +++ b/docs/owasp-zap.md @@ -0,0 +1,14 @@ +# OWASP Zap Tool + +The Open Web Application Security Project (OWASP) provides a security tool, called `Zed Attack Proxy` (**ZAP**) to scan the vulnerabilities. +OWASP ZAP is one of the most popular security tools and is actively maintained. It comes with a UI and it allows to launch an automated scan against a URL of a web application - for example [http://localhost:8080/JavaVulnerableLab](http://localhost:8080/JavaVulnerableLab). + +![Alt Text](assets/owasp-zap-2.8.0-screenshot.png) + +You may download it [here](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project). + +But in the software industry, we may want to automate to this inside the Continuous Integration and Continuous Delivery (**CI/CD**) toolchain. Generally, SonarQube is used to gather metrics related to the software quality and vulnerabilities. + + +Here, we can use a[ ZAP Plugin](https://github.com/Coveros/zap-sonar-plugin) for SonarQube 7.x to do just that. If you are interested in doing so, please refer to [this guideline](sonarqube.md). + diff --git a/docs/sonarqube.md b/docs/sonarqube.md new file mode 100644 index 00000000..dd2474b4 --- /dev/null +++ b/docs/sonarqube.md @@ -0,0 +1,83 @@ + +## Add configuration + +We need to add sonar configuration for the project to let mvn scan it. + +```sh +echo " +sonar.projectKey=org.cysecurity:JavaVulnerableLab +sonar.projectName=pJavaVulnerableLab +sonar.projectVersion=0.0.1-SNAPSHOT +sonar.sources=src/main/java +sonar.sourceEncoding=UTF-8 +sonar.binaries=target/classes +sonar.java.binaries=target/classes +sonar.tests=src/test/java +sonar.scm.provider=git + +#Java report only +sonar.language=java + +sonar.zaproxy.reportPath=${WORKSPACE}/zaproxy-report.xml +" > ./sonar-project.properties +``` + +The line below indicates to the Maven Sonar plugin to use the ZAP-Proxy plugin when do a scan in the project codebase : + +``` +sonar.zaproxy.reportPath=${WORKSPACE}/zaproxy-report.xml +``` + +## ZAP Sonar plugin + +We can use a plugin that has been developed by Gene Gotimer ([zap-sonar-plugin](https://github.com/Coveros/zap-sonar-plugin)). And for information, as per the time this is being tested, that plugin requires SonarQube 7.9. + +## SonarQube instance + +In order to be able to scan the code for vulnerabilities as well as for code qualimetry (coverage, duplication...), we need a running instance of SonarQube. +Here we can use Docker to provide that instance. It's the simpliest way. The sonarqube/Dockerfile is doing the job for you. Within the Dockerfile, the Zap-Proxy plugin jar is added. As per the time this is written, that plugin requires the current LTS version is 7.9 of SonarQube. + +You may run the below commands on the machine (Vagrant VM, or VPS, local machine) : + +``` +docker-compose build sonarqube +docker-compose up -d sonarqube +``` + +## Run a scan + +Run this command to analyse the codebase : + +If using Vagrant : + +```sh +vagrant ssh +sudo su - +cd /vagrant +docker-compose up -d sonarqube +sleep 5 +docker exec vagrant_javavulnlab_1 mvn sonar:sonar -Dsonar.host.url=http://192.168.10.10:9000 +``` + +If SonarQube is running inside a container on a VM : + +```sh +docker exec javavulnerablelab_javavulnlab_1 mvn sonar:sonar -Dsonar.host.url=http://HOSTNAME_OR_IP_ADDRESS:9000 +``` + +If you are directly on a machine : + +```sh +mvn sonar:sonar +``` + +Here, by default it connects to http://localhost:9000. + +It connects to the SonarQube server to retrieve information, such as rules and plugins to apply while scanning the code. +Once the scan is completed, the resulting metrics are sent to the SonarQube server. Then you may see the dashboard [here](http://localhost:9000). + +## Quality Metrics + +Once this is done, we can see the [vulnerabilities](http://127.0.0.1:9000/project/issues?id=org.cysecurity%3AJavaVulnerableLab&resolved=false&sonarsourceSecurity=sql-injection&types=SECURITY_HOTSPOT) metrics on SonarQube. + +![Alt Text](assets/Java-SonarQube-OWASP-Vulnerabilities.png) \ No newline at end of file diff --git a/pom.xml b/pom.xml index e90d5213..0a5693aa 100644 --- a/pom.xml +++ b/pom.xml @@ -7,11 +7,19 @@ 0.0.1-SNAPSHOT JavaVulnerableLab Maven Webapp http://maven.apache.org + + UTF-8 + 9.4.0.v20161208 + 4.0.2.RELEASE + 8.0.28 + 1.8 + 1.8 + junit junit - 3.8.1 + 4.12 test diff --git a/sonar-project.properties b/sonar-project.properties new file mode 100644 index 00000000..742619cc --- /dev/null +++ b/sonar-project.properties @@ -0,0 +1,14 @@ +sonar.projectKey=org.cysecurity:JavaVulnerableLab +sonar.projectName=pJavaVulnerableLab +sonar.projectVersion=0.0.1-SNAPSHOT +sonar.sources=src/main/java +sonar.sourceEncoding=UTF-8 +sonar.binaries=target/classes +sonar.java.binaries=target/classes +sonar.tests=src/test/java +sonar.scm.provider=git + +#Java report only +sonar.language=java + +sonar.zaproxy.reportPath=${WORKSPACE}/zaproxy-report.xml diff --git a/sonarqube/Dockerfile b/sonarqube/Dockerfile new file mode 100644 index 00000000..2c51dac7 --- /dev/null +++ b/sonarqube/Dockerfile @@ -0,0 +1,10 @@ + +FROM sonarqube:lts +USER root +RUN apt-get update && apt-get install -y wget + +USER sonarqube +RUN wget https://github.com/Coveros/zap-sonar-plugin/releases/download/sonar-zap-plugin-1.2.0/sonar-zap-plugin-1.2.0.jar -O /opt/sonarqube/extensions/plugins/sonar-zap-plugin-1.2.0.jar + +ENTRYPOINT ["./bin/run.sh"] + diff --git a/sonarqube/run.sh b/sonarqube/run.sh new file mode 100755 index 00000000..66ae2b83 --- /dev/null +++ b/sonarqube/run.sh @@ -0,0 +1,30 @@ +#!/bin/sh + +set -e + +if [ "${1:0:1}" != '-' ]; then + exec "$@" +fi + +#chown -R sonarqube:sonarqube $SONARQUBE_HOME +exec + java -jar lib/sonar-application-$SONAR_VERSION.jar \ + -Dsonar.log.console=true \ + -Dsonar.jdbc.username="$SONARQUBE_JDBC_USERNAME" \ + -Dsonar.jdbc.password="$SONARQUBE_JDBC_PASSWORD" \ + -Dsonar.jdbc.url="$SONARQUBE_JDBC_URL" \ + -Dsonar.security.realm="$SONARQUBE_SECURITY_REALM" \ + -Dsonar.security.savePassword="$SONARQUBE_SECURITY_SAVEPASSWORD" \ + -Dldap.bindDn="$SONARQUBE_LDAP_BINDDN" \ + -Dldap.bindPassword="$SONARQUBE_LDAP_BINDPASSWORD" \ + -Dldap.url="$SONARQUBE_LDAP_URL" \ + -Dldap.user.baseDn="$SONARQUBE_LDAP_USER_BASEDN" \ + -Dldap.user.request="$SONARQUBE_LDAP_USER_REQUEST" \ + -Dldap.user.realNameAttribute="$SONARQUBE_LDAP_USER_REALNAMEATTRIBUTE" \ + -Dldap.group.baseDn="$SONARQUBE_LDAP_GROUP_BASEDN" \ + -Dldap.group.request="$SONARQUBE_LDAP_GROUP_REQUEST" \ + -Dldap.group.idAttribute="$SONARQUBE_LDAP_GROUP_IDATTRIBUTE" \ + -Dsonar.ce.javaOpts="$SONARQUBE_CE_JVM_OPTS" \ + -Dsonar.web.javaOpts="$SONARQUBE_WEB_JVM_OPTS" \ + -Dsonar.web.javaAdditionalOpts="-Djava.security.egd=file:/dev/./urandom" \ + "$@" \ No newline at end of file