search

SasanLabs / VulnerableApp-facade

VulnerableApp-facade is probably most modern lightweight distributed farm of Vulnerable Applications built for handling wide range of vulnerabilities across tech stacks.
Apache License 2.0
45 stars 48 forks source link

Write readme and document getting started guide #13

Open preetkaran20 opened 3 years ago

preetkaran20 commented 3 years ago

While discussing with @nowakkamil found that we are missing readme details and documentation so need to add it.

preetkaran20 commented 3 years ago

updated the readme file, however need to update the contributing guideline.

preetkaran20 commented 3 years ago

Update the Readme of this project and also https://owasp.org/www-project-vulnerableapp-facade/ which has github repository: https://github.com/OWASP/www-project-vulnerableapp-facade as they both point to old docker image.

preetkaran20 commented 3 years ago

Update the Readme of this project and also https://owasp.org/www-project-vulnerableapp-facade/ which has github repository: https://github.com/OWASP/www-project-vulnerableapp-facade as they both point to old docker image.

Updated the docker image links.

preetkaran20 commented 3 years ago

Left items in this task:

  1. Creating a document explaining how to onboard a vulnerable application to the VulnerableApp-facade project.
  2. A new file explaining, how to contribute to the project. This is needed as we are building the UI in react and might require some explanation regarding coding structure.
  3. Update readme with the project's tech stack.
  4. Update https://owasp.org/www-project-vulnerable-web-applications-directory/ project.
lmcdo commented 2 years ago

Hi, I can help with this. Can you tell me where I can find whatever information is required to do this documentation?

preetkaran20 commented 2 years ago

Hi @lmcdo ,

Some of the documentations links which are very uptodate:

  1. Readme for this project
  2. Owasp Spotlight into
  3. Our thoughts

Older references but still hold good information:

  1. Older video explaining about initial project
  2. Older documentation
  3. Design document
  4. Blog
  5. https://github.com/SasanLabs/VulnerableApp-jsp and https://github.com/SasanLabs/VulnerableApp-php depicting how any vulnerable application can leverage the VulnerableApp-facade.

Please let me know if you need more context, we can discuss over a call.

thanks, Karan

lmcdo commented 2 years ago

Hi Karan, Thanks for your reply. I have read through the code, the documentation, the OWASP website and watched the two videos attached, but I am new to Owasp and the general Vulnerable apps scene, so currently still trying to understand it all. I am experienced in fullstack and react. Happy to talk on a call too.

The items below (I copied the text from the github Issues) I seem to be the current ones, I think? I am asking everything in a bid to learn as much as possible, please direct where possible :)

Left items in this task:

  1. Creating a document explaining how to onboard a vulnerable application to the VulnerableApp-facade project. Is there any current documentation or references for this? The best I can guess that this refers to is in the OWASP Spotlight video (see attached screenshot) where some edits are made to a java file for Title, Description and Hints.
  2. A new file explaining, how to contribute to the project. This is needed as we are building the UI in react and might require some explanation regarding coding structure. Are there further requirements for this? E.g. Is the current How to Contribute ok? How much detail would be good for the explanation of Coding Structure (do you have an example in mind)?
  3. Update readme with the project's tech stack. Is there a model/example for this, or is there a defined place to get this?
  4. Update https://owasp.org/www-project-vulnerable-web-applications-directory/ project. Could you please expand on which updates that are needed for this project?

On Tue, Jun 7, 2022 at 3:17 AM Karan Preet Singh Sasan < @.***> wrote:

Hi @lmcdo https://github.com/lmcdo ,

Some of the documentations links which are very uptodate:

  1. Readme for this project https://github.com/SasanLabs/VulnerableApp-facade#readme
  2. Owasp Spotlight into https://www.youtube.com/watch?v=HRRTrnRgMjs&ab_channel=VandanaVerma
  3. Our thoughts https://github.com/SasanLabs/VulnerableApp-facade/wiki/Contract-Schema-Design-for-Vulnerable-Applications-to-register-to-VulnerableApp-facade

Older references but still hold good information:

  1. Older video explaining about initial project https://www.youtube.com/watch?v=AjL4B-WwrrA&ab_channel=OwaspVulnerableApp
  2. Older documentation https://sasanlabs.github.io/VulnerableApp/
  3. Design document https://sasanlabs.github.io/VulnerableApp/DesignDocumentation.html
  4. Blog https://hussaina-begum.medium.com/an-extensible-vulnerable-application-for-testing-the-vulnerability-scanning-tools-cc98f0d94dbc
  5. https://github.com/SasanLabs/VulnerableApp-jsp and https://github.com/SasanLabs/VulnerableApp-php depicting how any vulnerable application can leverage the VulnerableApp-facade.

Please let me know if you need more context, we can discuss over a call.

thanks, Karan

— Reply to this email directly, view it on GitHub https://github.com/SasanLabs/VulnerableApp-facade/issues/13#issuecomment-1147686996, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7OJ4OZMSUQCMQS752HGJDVNYXA7ANCNFSM434NAVYA . You are receiving this because you were mentioned.Message ID: @.***>

preetkaran20 commented 2 years ago

Hi @lmcdo,

On pointer 1, the way we configure a vulnerable app is via a json contract and you can find the contract details in https://github.com/SasanLabs/VulnerableApp-facade/wiki/Contract-Schema-Design-for-Vulnerable-Applications-to-register-to-VulnerableApp-facade. Also you can look into https://github.com/SasanLabs/VulnerableApp-facade/blob/main/nginx.conf and https://github.com/SasanLabs/VulnerableApp-facade/blob/main/lua-modules/vulnerableapp_utility.lua on how we configured 3 vulnerable apps.

On pointer 2, I think current structure has issues in explaining the ways to debug/local setup, we need a document or a video explaining, how to configure or remove one app under the vulnerable app facade etc in order to just run the application as well as in order to develop or enhance it.

On pointer 3, we just need to tell about the react version we are using in readme as well as npm version. We can also include a video detail explaining how the entire architecture of application is build etc if possible.

Pointer 4, we can ignore.

Thanks, Karan

lmcdo commented 2 years ago

Hi Karan, I suppose I have not had enough exposure to the use cases of vulnerability testing and scanning to fully understand this use case! I read a lot more around this but can't resolve it. I would have thought that a vulnerable app was an app, e.g. a web app with its own features and purpose which has either known or unknown security weaknesses. But here, OWASP Vulnerability App is something to fix/diagnose such a vulnerable app, not a vulnerable app itself, so it is ambiguous. I don't understand the relation between the OWASP Vulnerability app, the testing scanner and a sample vulnerability, or the process and reasoning of how the json file configuration works (together, possibly, with the java code editing (in the OWAP Spotlight video). Sorry about that. I would be able to help if I could some more basic orientation, thanks for any info.

On Wed, Jun 8, 2022 at 3:14 AM Karan Preet Singh Sasan < @.***> wrote:

Hi @lmcdo https://github.com/lmcdo,

On pointer 1, the way we configure a vulnerable app is via a json contract and you can find the contract details in https://github.com/SasanLabs/VulnerableApp-facade/wiki/Contract-Schema-Design-for-Vulnerable-Applications-to-register-to-VulnerableApp-facade. Also you can look into https://github.com/SasanLabs/VulnerableApp-facade/blob/main/nginx.conf and https://github.com/SasanLabs/VulnerableApp-facade/blob/main/lua-modules/vulnerableapp_utility.lua on how we configured 3 vulnerable apps.

On pointer 2, I think current structure has issues in explaining the ways to debug/local setup, we need a document or a video explaining, how to configure or remove one app under the vulnerable app facade etc in order to just run the application as well as in order to develop or enhance it.

On pointer 3, we just need to tell about the react version we are using in readme as well as npm version. We can also include a video detail explaining how the entire architecture of application is build etc if possible.

Pointer 4, we can ignore.

Thanks, Karan

— Reply to this email directly, view it on GitHub https://github.com/SasanLabs/VulnerableApp-facade/issues/13#issuecomment-1148948338, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7OJ4LRMVB4BPCA37X4XYTVN57O5ANCNFSM434NAVYA . You are receiving this because you were mentioned.Message ID: @.***>

preetkaran20 commented 2 years ago

Hi @lmcdo,

I think the best way to discuss all these points is over the call. I work in IST timezone till 10 PM IST, so let me know when can we connect? Happy to connect today as well.

thanks, Karan

lmcdo commented 2 years ago

Right, I am AEST, Sydney Australia, it's 9 pm here now. Possibly my tomorrow 5pm your 12.30 pm?

On Sun, Jun 12, 2022 at 9:02 PM Karan Preet Singh Sasan < @.***> wrote:

Hi @lmcdo https://github.com/lmcdo,

I think the best way to discuss all these points is over the call. I work in IST timezone till 10 PM IST, so let me know when can we connect? Happy to connect today as well.

thanks, Karan

— Reply to this email directly, view it on GitHub https://github.com/SasanLabs/VulnerableApp-facade/issues/13#issuecomment-1153129228, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7OJ4KIBFFL34YOKLQEWBLVOW7TXANCNFSM434NAVYA . You are receiving this because you were mentioned.Message ID: @.***>

preetkaran20 commented 2 years ago

@lmcdo Sure works for me, please schedule a meeting on google meet. My email address is: preetkaran20@gmail.com

thanks, Karan

lmcdo commented 2 years ago

sorry, use this one, this link is for tomorrow 12.30 IST https://meet.google.com/nez-imjd-fbv https://www.google.com/url?q=https://meet.google.com/nez-imjd-fbv&sa=D&source=calendar&usd=2&usg=AOvVaw0Fx6RV7hERxlBeOrEPTeUn

On Sun, Jun 12, 2022 at 9:19 PM Karan Preet Singh Sasan < @.***> wrote:

@lmcdo https://github.com/lmcdo Sure works for me, please schedule a meeting on google meet. My email address is: @.***

thanks, Karan

— Reply to this email directly, view it on GitHub https://github.com/SasanLabs/VulnerableApp-facade/issues/13#issuecomment-1153132682, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7OJ4PW7SPIWGQHJXB6XJ3VOXBTRANCNFSM434NAVYA . You are receiving this because you were mentioned.Message ID: @.***>

lmcdo commented 2 years ago

Hi Karan, Creating a document explaining how to onboard a vulnerable application to the VulnerableApp-facade project.

  1. I find I still don't have a clue as to the test scanner use case :( Downloading and running the Facade project is easy enough, and I see that docker compose downloads and gets the Vulnerable App, plus jsp and php versions, and then populates the UI. But how is this useful for "testing a test scanner" which you said was the purpose of this VulnerableApp Facade? How to use the Levels in this process? There is no clue in the documentation.

  2. The end user (test scanner dev, security/testing student) will want to edit their own app vulnerabilities, but these files need to go in the docker container, and that is why the Readme currently says "make a copy of docker.compose.yml" in order to deploy the changes that the user makes to their own code. Should the onboarding document provide a description of the preferred docker process?

On Sun, Jun 12, 2022 at 10:04 PM lawrence mcdonell < @.***> wrote:

sorry, use this one, this link is for tomorrow 12.30 IST https://meet.google.com/nez-imjd-fbv https://www.google.com/url?q=https://meet.google.com/nez-imjd-fbv&sa=D&source=calendar&usd=2&usg=AOvVaw0Fx6RV7hERxlBeOrEPTeUn

On Sun, Jun 12, 2022 at 9:19 PM Karan Preet Singh Sasan < @.***> wrote:

@lmcdo https://github.com/lmcdo Sure works for me, please schedule a meeting on google meet. My email address is: @.***

thanks, Karan

— Reply to this email directly, view it on GitHub https://github.com/SasanLabs/VulnerableApp-facade/issues/13#issuecomment-1153132682, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7OJ4PW7SPIWGQHJXB6XJ3VOXBTRANCNFSM434NAVYA . You are receiving this because you were mentioned.Message ID: @.***>

preetkaran20 commented 2 years ago

Hi @lmcdo ,

  1. I find I still don't have a clue as to the test scanner use case :( Downloading and running the Facade project is easy enough, and I see that docker compose downloads and gets the Vulnerable App, plus jsp and php versions, and then populates the UI. But how is this useful for "testing a test scanner" which you said was the purpose of this VulnerableApp Facade? How to use the Levels in this process? There is no clue in the documentation.

[Karan] if you go to http://localhost/VulnerabilityDefinitions endpoint, you can see all the vulnerabilities present in the VulnerableApps. So scanners can run against the VulnerableApp and find vulnerabilities and then scanners can compare it with the response from http://localhost/VulnerabilityDefinitions endpoint and see if scanner has found the right vulnerabilities. Please have a look at video https://youtu.be/HRRTrnRgMjs?t=311. The link is from the time where i explain, how Scanners can use VulnerableApp.

  1. The end user (test scanner dev, security/testing student) will want to edit their own app vulnerabilities, but these files need to go in the docker container, and that is why the Readme currently says "make a copy of docker.compose.yml" in order to deploy the changes that the user makes to their own code. Should the onboarding document provide a description of the preferred docker process?

[Karan] Yes, the newer app onboarding should build a docker and update the docker-compose.yml something like we did for our own vulnerable application. Have a look at point 1 under https://github.com/SasanLabs/VulnerableApp#building-the-project for more information.

lmcdo commented 2 years ago

Hi Karan, Since there is java code in any new vulnerability implementation (is this the "business logic" that you mention at 10:45 on the spotlight video you sent me?) required in SampleVulnerability.java (GenericVulnerabilityResponseBean) required in order to demonstrate onboarding a new vulnerability, I'm not competent for this task, being a frontend developer. sorry

On Sat, Jun 18, 2022 at 9:27 PM Karan Preet Singh Sasan < @.***> wrote:

Hi @lmcdo https://github.com/lmcdo ,

— Reply to this email directly, view it on GitHub https://github.com/SasanLabs/VulnerableApp-facade/issues/13#issuecomment-1159448005, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7OJ4OW576GHP3JTW3MAZTVPWXCHANCNFSM434NAVYA . You are receiving this because you were mentioned.Message ID: @.***>

preetkaran20 commented 2 years ago

@lmcdo Thanks for all the inputs and hardwork you did for this task. Shall i unassign this task?

thanks, Karan

lmcdo commented 2 years ago

yes no worries

On Tue, Jun 21, 2022 at 3:13 AM Karan Preet Singh Sasan < @.***> wrote:

@lmcdo https://github.com/lmcdo Thanks for all the inputs and hardwork you did for this task. Shall i unassign this task?

thanks, Karan

— Reply to this email directly, view it on GitHub https://github.com/SasanLabs/VulnerableApp-facade/issues/13#issuecomment-1160680896, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7OJ4MOIF4XYDFYWHFFZUTVQCRDJANCNFSM434NAVYA . You are receiving this because you were mentioned.Message ID: @.***>