Welcome to the DevSecOps Tutorial project! This repository contains a deliberately vulnerable web application designed to demonstrate various DevSecOps practices.
This application is intentionally vulnerable and should NEVER be used in a production environment. It is designed for educational purposes only.
Before you begin, ensure you have the following:
- A GitHub account
- An Azure account (A new account gives you access to most services and $200 in credits)
- An IDE or text editor (VS Code is recommended)
- Fork this repository
- Clone your fork:
git clone <your_fork>.git - Navigate to the project directory:
cd DevSecOps_Tutorial - Delete all workflows
- Install dependencies:
npm install - Run the application:
node app.js
- Create a Web App Service with a Node.js runtime stack in Azure
- Enable continuous deployment and connect your GitHub account and repository
- Enable basic authentication
- Keep the rest of the settings as default
Your application should now be available at <webapp_name>.azurewebsites.net
Important: Consider implementing a spending limit as this application is vulnerable and may be exploited.
Can you spot any vulnerabilities in the source code? How would you automate the process of finding these vulnerabilities?
You can experiment with the demo instance at https://simple-devsecops-app.azurewebsites.net/
- Log into SonarCloud via GitHub
- Configure visibility for your project
- Follow the "Analyze a project with a GitHub Action" instructions
- Create a new workflow, secret, and properties file as instructed
- Utilise the provided
zap_scan.ymlfile from this repository - Change the URL to your own application's URL
- Results will appear as an artifact on GitHub
- Utilise the provided
Trufflehog.ymlfile from this repository
TODO
Not really a part of the security validaiton process but see files app.test.js as well as test.yml
TODO
- XSS:
<img src=x onerror="alert('XSS')"> - SQLi:
OR admin' – - Broken auth: Click on the admin panel
- Insecure Deserialization (will not be displayed):
{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });}()"} - Security misconfiguration: Access the Debug info for sensitive information
- Unrestricted file upload: Try uploading various file types
- Command injection:
ping google.com - Weak Cryptography: just encrypt anything -> DES in considered insecure
- Path Traversal:
../../../etc/passwd - XXE (will not be displayed):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<root>
<data>&xxe;</data>
</root>
- Prototype Pollution (will not be displayed):
{
"target": {},
"source": {
"__proto__": {
"polluted": "Prototype has been polluted!"
}
}
}
For a more complex project, consider implementing DevSecOps practices into OWASP Juice Shop. Be aware that it may require significant debugging when deploying to the cloud.
This project is MIT licensed.