search

SasanLabs / VulnerableApp-facade

VulnerableApp-facade is probably most modern lightweight distributed farm of Vulnerable Applications built for handling wide range of vulnerabilities across tech stacks.
Apache License 2.0
45 stars 48 forks source link

Feature/issue 60 #94

Closed merry-degaga closed 1 year ago

merry-degaga commented 1 year ago

Added 'scanner' to nginx.conf. Used nginx regex capture location to reduce duplication.

codecov-commenter commented 1 year ago

Codecov Report

Merging #94 (fa9ac1c) into main (d0822ef) will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##             main      #94   +/-   ##
=======================================
  Coverage   86.66%   86.66%           
=======================================
  Files           9        9           
  Lines         150      150           
  Branches       41       41           
=======================================
  Hits          130      130           
  Misses         18       18           
  Partials        2        2

:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more

preetkaran20 commented 1 year ago

@merry-degaga I tried using /scanner/sast and it is showing following response: {"VulnerableApp-php":/VulnerableApp-php/scanner/sast is not available}

can you please check and fix this. Also, there is one more bug, we can use /scanner/dast or /scanner/dast<anything here> and it will still route to same page. is there a way to fix it?

merry-degaga commented 1 year ago

@merry-degaga I tried using /scanner/sast and it is showing following response: {"VulnerableApp-php":/VulnerableApp-php/scanner/sast is not available} can you please check and fix this.

What is the expected response for /scanner/sast? Should it be { "VulnerableApp":/VulnerableApp/scanner/sast is not available "VulnerableApp-jsp":/VulnerableApp-jsp/scanner/sast is not available "VulnerableApp-php":/VulnerableApp-php/scanner/sast is not available } ?

Likewise for scanner/dast? { "VulnerableApp-jsp":/VulnerableApp-jsp/scanner/dast is not available "VulnerableApp-php":/VulnerableApp-php/scanner/dast is not available } ?

From the logs it looks like it is always calling /VulnerableApp-php from any of the endpoints(/scanner/sast, /scanner/dast, and /VulnerabilityDefinitions), I just inserted the logs from the /scanner/sast endpoint as example: vulnerableapp-facade-VulnerableApp-facade-1 | 172.20.0.1 - - [29/Nov/2022:17:26:56 +0000] "GET /scanner/sast HTTP/1.1" 200 82 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.62" vulnerableapp-facade-VulnerableApp-php-1 | 172.20.0.5 - - [29/Nov/2022:17:26:56 +0000] "GET /VulnerableApp-php/scanner/sast HTTP/1.0" 200 48 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.62"

Also, there is one more bug, we can use /scanner/dast or /scanner/dast and it will still route to same page. is there a way to fix it?

Would like clarification on this, /scanner/dast or /scanner/dast should route to the same page?

preetkaran20 commented 1 year ago

What is the expected response for /scanner/sast? Should it be { "VulnerableApp":/VulnerableApp/scanner/sast is not available "VulnerableApp-jsp":/VulnerableApp-jsp/scanner/sast is not available "VulnerableApp-php":/VulnerableApp-php/scanner/sast is not available } ?

it should be empty {}. If you look at the method definition, you will find that we are catching error codes and not merging the responses.

Likewise for scanner/dast? { "VulnerableApp-jsp":/VulnerableApp-jsp/scanner/dast is not available "VulnerableApp-php":/VulnerableApp-php/scanner/dast is not available } ?

No, we want to ignore failures.

From the logs it looks like it is always calling /VulnerableApp-php from any of the endpoints(/scanner/sast, /scanner/dast, and /VulnerabilityDefinitions), I just inserted the logs from the /scanner/sast endpoint as example: vulnerableapp-facade-VulnerableApp-facade-1 | 172.20.0.1 - - [29/Nov/2022:17:26:56 +0000] "GET /scanner/sast HTTP/1.1" 200 82 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.62" vulnerableapp-facade-VulnerableApp-php-1 | 172.20.0.5 - - [29/Nov/2022:17:26:56 +0000] "GET /VulnerableApp-php/scanner/sast HTTP/1.0" 200 48 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.62"

it should not, VulnerabilityDefinitions should be calling all three and merging the responses and same should be true for others as well.

Also, there is one more bug, we can use /scanner/dast or /scanner/dast and it will still route to same page. is there a way to fix it?

Would like clarification on this, /scanner/dast or /scanner/dast should route to the same page?

Github has removed anything in the angle braces. question was: there is one more bug, we can use /scanner/dast or /scanner/dast<anything here> and it will still route to same page. is there a way to fix it?

merry-degaga commented 1 year ago

What is the expected response for /scanner/sast? Should it be { "VulnerableApp":/VulnerableApp/scanner/sast is not available "VulnerableApp-jsp":/VulnerableApp-jsp/scanner/sast is not available "VulnerableApp-php":/VulnerableApp-php/scanner/sast is not available } ?

it should be empty {}. If you look at the method definition, you will find that we are catching error codes and not merging the responses.

Likewise for scanner/dast? { "VulnerableApp-jsp":/VulnerableApp-jsp/scanner/dast is not available "VulnerableApp-php":/VulnerableApp-php/scanner/dast is not available } ?

No, we want to ignore failures.

From the logs it looks like it is always calling /VulnerableApp-php from any of the endpoints(/scanner/sast, /scanner/dast, and /VulnerabilityDefinitions), I just inserted the logs from the /scanner/sast endpoint as example: vulnerableapp-facade-VulnerableApp-facade-1 | 172.20.0.1 - - [29/Nov/2022:17:26:56 +0000] "GET /scanner/sast HTTP/1.1" 200 82 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.62" vulnerableapp-facade-VulnerableApp-php-1 | 172.20.0.5 - - [29/Nov/2022:17:26:56 +0000] "GET /VulnerableApp-php/scanner/sast HTTP/1.0" 200 48 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.62"

it should not, VulnerabilityDefinitions should be calling all three and merging the responses and same should be true for others as well.

Also, there is one more bug, we can use /scanner/dast or /scanner/dast and it will still route to same page. is there a way to fix it?

Would like clarification on this, /scanner/dast or /scanner/dast should route to the same page?

Github has removed anything in the angle braces. question was: there is one more bug, we can use /scanner/dast or /scanner/dast<anything here> and it will still route to same page. is there a way to fix it?

@preetkaran20 When commenting out the endpoint /VulnerableApp-php and testing locally in docker, I receive the expected empty {} for /scanner/sast and /scanner/dast only shows for VulnerableApp (whereas before, when the endpoint /VulnerableApp-php was available, it was also including the /VulnerableApp-php/scanner/dast is not available in the return object). When VulnerableApp-php gets called with these none existing endpoints, it returns a 200 response ... tested this in postman as well via http://localhost/VulnerableApp-php/scanner/dast and response is /VulnerableApp-php/scanner/dast is not available with a status 200.

image

Do you want me to edit the lua file to handle this, instead of just 200, if 200 and doesn't contain 'is not available' for the VulnerableAppPhpResponse? Or should the VulnerableApp-php return 404 instead of 200 for a non existing page?