Skip to content

Latest commit

 

History

History
73 lines (49 loc) · 2.69 KB

README.md

File metadata and controls

73 lines (49 loc) · 2.69 KB

Bookmark Service Application

An insecure spring boot based java service providing an API to store and retrieve browser bookmarks for different users.

  • main branch: The insecure variant of this application with lots of security tests covering several topics of the OWASP Top 10 (2021), and the OWASP ASVS 4.x (only secured via basic authentication and form based login without any authorization checks)

  • secure branch: The secure variant (all security tests should be green). Still using basic authentication and form based login, but including authorization checks.

REST API

This application provides a basic bookmark administration (like in your web browsers).

You may ask for bookmarks of user Bruce Wayne like this:

http :9090/api/bookmarks?userid=c9caa4d1-5ad7-4dd1-8bd1-91b8bc5b9a48 --auth [email protected]:wayne

You could also just try to access bookmarks of another user (which is actually broken authz):

http :9090/api/bookmarks?userid=c9caa4d1-5ad7-4dd1-8bd1-91b8bc5b9a48 --auth [email protected]:banner

Or just ask for the complete list of users (which you usually should not provide to all users!!!)

http :9090/api/users --auth [email protected]:wayne

Security Tests

The security tests include the following types:

  • Unit Test Layer
    • Static Code Analysis using SpotBugs & SonarQube (both using the respective Gradle Plugins)
    • OWASP Dependency Check
    • Security Architecture Tests (using ArchUnit)
    • Input Validation Tests
    • Broken Authentication Tests
  • Integration Test Layer
    • Security Misconfiguration Tests
    • Injection (SQL Injection) Tests
    • Broken Access Control Tests
  • UI/Workflow Layer
    • Dynamic Security Tests using OWASP Zap

Static application security testing

SemGrep

To check the project with the OSS semgrep scanner just perform this command inside the project root folder:

semgrep scan --config auto

SonarQube

To use SonarQube for security analysis the easiest way is the provided docker container. Just follow the Getting Started Guide using the described way using a docker container. Then continue the same guide with Analyzing a Project.

After you have configured the project in SonarQube you can trigger the project analysis by issuing the following command:

./mvnw sonar:sonar -Dsonar.projectKey=PROJECT_KEY 
                             -Dsonar.projectName='PROJECT_NAME' 
                             -Dsonar.host.url=http://localhost:9000 
                             -Dsonar.token=THE_GENERATED_TOKEN  

Please replace PROJECT_KEY and PROJECT_TOKEN with your own values.