Open preetkaran20 opened 3 years ago
updated the readme file, however need to update the contributing guideline.
Update the Readme of this project and also https://owasp.org/www-project-vulnerableapp-facade/ which has github repository: https://github.com/OWASP/www-project-vulnerableapp-facade as they both point to old docker image.
Update the Readme of this project and also https://owasp.org/www-project-vulnerableapp-facade/ which has github repository: https://github.com/OWASP/www-project-vulnerableapp-facade as they both point to old docker image.
Updated the docker image links.
Left items in this task:
Hi, I can help with this. Can you tell me where I can find whatever information is required to do this documentation?
Hi @lmcdo ,
Some of the documentations links which are very uptodate:
Older references but still hold good information:
Please let me know if you need more context, we can discuss over a call.
thanks, Karan
Hi Karan, Thanks for your reply. I have read through the code, the documentation, the OWASP website and watched the two videos attached, but I am new to Owasp and the general Vulnerable apps scene, so currently still trying to understand it all. I am experienced in fullstack and react. Happy to talk on a call too.
The items below (I copied the text from the github Issues) I seem to be the current ones, I think? I am asking everything in a bid to learn as much as possible, please direct where possible :)
Left items in this task:
On Tue, Jun 7, 2022 at 3:17 AM Karan Preet Singh Sasan < @.***> wrote:
Hi @lmcdo https://github.com/lmcdo ,
Some of the documentations links which are very uptodate:
- Readme for this project https://github.com/SasanLabs/VulnerableApp-facade#readme
- Owasp Spotlight into https://www.youtube.com/watch?v=HRRTrnRgMjs&ab_channel=VandanaVerma
- Our thoughts https://github.com/SasanLabs/VulnerableApp-facade/wiki/Contract-Schema-Design-for-Vulnerable-Applications-to-register-to-VulnerableApp-facade
Older references but still hold good information:
- Older video explaining about initial project https://www.youtube.com/watch?v=AjL4B-WwrrA&ab_channel=OwaspVulnerableApp
- Older documentation https://sasanlabs.github.io/VulnerableApp/
- Design document https://sasanlabs.github.io/VulnerableApp/DesignDocumentation.html
- Blog https://hussaina-begum.medium.com/an-extensible-vulnerable-application-for-testing-the-vulnerability-scanning-tools-cc98f0d94dbc
- https://github.com/SasanLabs/VulnerableApp-jsp and https://github.com/SasanLabs/VulnerableApp-php depicting how any vulnerable application can leverage the VulnerableApp-facade.
Please let me know if you need more context, we can discuss over a call.
thanks, Karan
— Reply to this email directly, view it on GitHub https://github.com/SasanLabs/VulnerableApp-facade/issues/13#issuecomment-1147686996, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7OJ4OZMSUQCMQS752HGJDVNYXA7ANCNFSM434NAVYA . You are receiving this because you were mentioned.Message ID: @.***>
Hi @lmcdo,
On pointer 1, the way we configure a vulnerable app is via a json contract and you can find the contract details in https://github.com/SasanLabs/VulnerableApp-facade/wiki/Contract-Schema-Design-for-Vulnerable-Applications-to-register-to-VulnerableApp-facade. Also you can look into https://github.com/SasanLabs/VulnerableApp-facade/blob/main/nginx.conf and https://github.com/SasanLabs/VulnerableApp-facade/blob/main/lua-modules/vulnerableapp_utility.lua on how we configured 3 vulnerable apps.
On pointer 2, I think current structure has issues in explaining the ways to debug/local setup, we need a document or a video explaining, how to configure or remove one app under the vulnerable app facade etc in order to just run the application as well as in order to develop or enhance it.
On pointer 3, we just need to tell about the react version we are using in readme as well as npm version. We can also include a video detail explaining how the entire architecture of application is build etc if possible.
Pointer 4, we can ignore.
Thanks, Karan
Hi Karan, I suppose I have not had enough exposure to the use cases of vulnerability testing and scanning to fully understand this use case! I read a lot more around this but can't resolve it. I would have thought that a vulnerable app was an app, e.g. a web app with its own features and purpose which has either known or unknown security weaknesses. But here, OWASP Vulnerability App is something to fix/diagnose such a vulnerable app, not a vulnerable app itself, so it is ambiguous. I don't understand the relation between the OWASP Vulnerability app, the testing scanner and a sample vulnerability, or the process and reasoning of how the json file configuration works (together, possibly, with the java code editing (in the OWAP Spotlight video). Sorry about that. I would be able to help if I could some more basic orientation, thanks for any info.
On Wed, Jun 8, 2022 at 3:14 AM Karan Preet Singh Sasan < @.***> wrote:
Hi @lmcdo https://github.com/lmcdo,
On pointer 1, the way we configure a vulnerable app is via a json contract and you can find the contract details in https://github.com/SasanLabs/VulnerableApp-facade/wiki/Contract-Schema-Design-for-Vulnerable-Applications-to-register-to-VulnerableApp-facade. Also you can look into https://github.com/SasanLabs/VulnerableApp-facade/blob/main/nginx.conf and https://github.com/SasanLabs/VulnerableApp-facade/blob/main/lua-modules/vulnerableapp_utility.lua on how we configured 3 vulnerable apps.
On pointer 2, I think current structure has issues in explaining the ways to debug/local setup, we need a document or a video explaining, how to configure or remove one app under the vulnerable app facade etc in order to just run the application as well as in order to develop or enhance it.
On pointer 3, we just need to tell about the react version we are using in readme as well as npm version. We can also include a video detail explaining how the entire architecture of application is build etc if possible.
Pointer 4, we can ignore.
Thanks, Karan
— Reply to this email directly, view it on GitHub https://github.com/SasanLabs/VulnerableApp-facade/issues/13#issuecomment-1148948338, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7OJ4LRMVB4BPCA37X4XYTVN57O5ANCNFSM434NAVYA . You are receiving this because you were mentioned.Message ID: @.***>
Hi @lmcdo,
I think the best way to discuss all these points is over the call. I work in IST timezone till 10 PM IST, so let me know when can we connect? Happy to connect today as well.
thanks, Karan
Right, I am AEST, Sydney Australia, it's 9 pm here now. Possibly my tomorrow 5pm your 12.30 pm?
On Sun, Jun 12, 2022 at 9:02 PM Karan Preet Singh Sasan < @.***> wrote:
Hi @lmcdo https://github.com/lmcdo,
I think the best way to discuss all these points is over the call. I work in IST timezone till 10 PM IST, so let me know when can we connect? Happy to connect today as well.
thanks, Karan
— Reply to this email directly, view it on GitHub https://github.com/SasanLabs/VulnerableApp-facade/issues/13#issuecomment-1153129228, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7OJ4KIBFFL34YOKLQEWBLVOW7TXANCNFSM434NAVYA . You are receiving this because you were mentioned.Message ID: @.***>
@lmcdo Sure works for me, please schedule a meeting on google meet. My email address is: preetkaran20@gmail.com
thanks, Karan
sorry, use this one, this link is for tomorrow 12.30 IST https://meet.google.com/nez-imjd-fbv https://www.google.com/url?q=https://meet.google.com/nez-imjd-fbv&sa=D&source=calendar&usd=2&usg=AOvVaw0Fx6RV7hERxlBeOrEPTeUn
On Sun, Jun 12, 2022 at 9:19 PM Karan Preet Singh Sasan < @.***> wrote:
@lmcdo https://github.com/lmcdo Sure works for me, please schedule a meeting on google meet. My email address is: @.***
thanks, Karan
— Reply to this email directly, view it on GitHub https://github.com/SasanLabs/VulnerableApp-facade/issues/13#issuecomment-1153132682, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7OJ4PW7SPIWGQHJXB6XJ3VOXBTRANCNFSM434NAVYA . You are receiving this because you were mentioned.Message ID: @.***>
Hi Karan, Creating a document explaining how to onboard a vulnerable application to the VulnerableApp-facade project.
I find I still don't have a clue as to the test scanner use case :( Downloading and running the Facade project is easy enough, and I see that docker compose downloads and gets the Vulnerable App, plus jsp and php versions, and then populates the UI. But how is this useful for "testing a test scanner" which you said was the purpose of this VulnerableApp Facade? How to use the Levels in this process? There is no clue in the documentation.
The end user (test scanner dev, security/testing student) will want to edit their own app vulnerabilities, but these files need to go in the docker container, and that is why the Readme currently says "make a copy of docker.compose.yml" in order to deploy the changes that the user makes to their own code. Should the onboarding document provide a description of the preferred docker process?
On Sun, Jun 12, 2022 at 10:04 PM lawrence mcdonell < @.***> wrote:
sorry, use this one, this link is for tomorrow 12.30 IST https://meet.google.com/nez-imjd-fbv https://www.google.com/url?q=https://meet.google.com/nez-imjd-fbv&sa=D&source=calendar&usd=2&usg=AOvVaw0Fx6RV7hERxlBeOrEPTeUn
On Sun, Jun 12, 2022 at 9:19 PM Karan Preet Singh Sasan < @.***> wrote:
@lmcdo https://github.com/lmcdo Sure works for me, please schedule a meeting on google meet. My email address is: @.***
thanks, Karan
— Reply to this email directly, view it on GitHub https://github.com/SasanLabs/VulnerableApp-facade/issues/13#issuecomment-1153132682, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7OJ4PW7SPIWGQHJXB6XJ3VOXBTRANCNFSM434NAVYA . You are receiving this because you were mentioned.Message ID: @.***>
Hi @lmcdo ,
[Karan]
if you go to http://localhost/VulnerabilityDefinitions
endpoint, you can see all the vulnerabilities present in the VulnerableApps. So scanners can run against the VulnerableApp and find vulnerabilities and then scanners can compare it with the response from http://localhost/VulnerabilityDefinitions
endpoint and see if scanner has found the right vulnerabilities. Please have a look at video https://youtu.be/HRRTrnRgMjs?t=311. The link is from the time where i explain, how Scanners can use VulnerableApp.
[Karan] Yes, the newer app onboarding should build a docker and update the docker-compose.yml something like we did for our own vulnerable application. Have a look at point 1 under https://github.com/SasanLabs/VulnerableApp#building-the-project for more information.
Hi Karan, Since there is java code in any new vulnerability implementation (is this the "business logic" that you mention at 10:45 on the spotlight video you sent me?) required in SampleVulnerability.java (GenericVulnerabilityResponseBean) required in order to demonstrate onboarding a new vulnerability, I'm not competent for this task, being a frontend developer. sorry
On Sat, Jun 18, 2022 at 9:27 PM Karan Preet Singh Sasan < @.***> wrote:
Hi @lmcdo https://github.com/lmcdo ,
— Reply to this email directly, view it on GitHub https://github.com/SasanLabs/VulnerableApp-facade/issues/13#issuecomment-1159448005, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7OJ4OW576GHP3JTW3MAZTVPWXCHANCNFSM434NAVYA . You are receiving this because you were mentioned.Message ID: @.***>
@lmcdo Thanks for all the inputs and hardwork you did for this task. Shall i unassign this task?
thanks, Karan
yes no worries
On Tue, Jun 21, 2022 at 3:13 AM Karan Preet Singh Sasan < @.***> wrote:
@lmcdo https://github.com/lmcdo Thanks for all the inputs and hardwork you did for this task. Shall i unassign this task?
thanks, Karan
— Reply to this email directly, view it on GitHub https://github.com/SasanLabs/VulnerableApp-facade/issues/13#issuecomment-1160680896, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7OJ4MOIF4XYDFYWHFFZUTVQCRDJANCNFSM434NAVYA . You are receiving this because you were mentioned.Message ID: @.***>
While discussing with @nowakkamil found that we are missing readme details and documentation so need to add it.