The Good Parts of Application Security is a project to learn how to develop and test secure web applications following a Test Driven Development (TDD) process. It is made up of a set of Java modules defined according to OWASP Application Security Verification Standard 4.0 (ASVS). Each module contains an example of vulnerable webapp in the challenges branch that have to be fixed in order to pass all the tests that have already been defined for that module in that branch. On the other hand, the master branch contains working examples on how to fix the different security vulnerabilities and make the modules safe.
There is a total of 14 modules as defined in the ASVS project, but bear in mind that for the moment just some of them have been finished (those with a link to the module):
appsec-access: Access Control Verification Requirementsappsec-api: API and Web Service Verification Requirementsappsec-architecture: Architecture, Design and Threat Modeling Requirementsappsec-authentication: Authentication Verification Requirementsappsec-buslogic: Business Logic Verification Requirementsappsec-communications: Communications Verification Requirementsappsec-config: Configuration Verification Requirementsappsec-cryptography: Stored Cryptography Verification Requirementsappsec-data: Data Protection Verification Requirementsappsec-error: Error Handling and Logging Verification Requirementsappsec-files: File and Resources Verification Requirementsappsec-malicious: Malicious Code Verification Requirementsappsec-session: Session Management Verification Requirementsappsec-validation: Validation, Sanitization and Encoding Verification Requirementsappsec-validation-injection-sql: SQL Injectionappsec-validation-redirect: Unvalidated Redirects
As mentioned before, the challenges branch contains different examples of vulnerable webapps. Each module includes a README.md file with detailed information about the webapp as well as some other relevant information such as a step-by-step guide on how to exploit each type of vulnerability.
For instance, consider the following piece of code taken from appsec-validation-redirect. It shows an unvalidated redirect vulnerability. that is caused by a REST controller redirecting to a non-whitelisted referrer.
@RestController
class AuthController {
// TODO Get whitelisted referers from application resources
String[] whitelistedReferers;
@PostMapping(value = "/logout")
void logout(HttpServletRequest request, HttpServletResponse response) {
invalidateSession();
redirectToServiceHomePage(request, response);
}
private void invalidateSession() {
// Do nothing
}
// TODO Add proper logging categories for any suspicious behaviour
@SneakyThrows
private void redirectToServiceHomePage(HttpServletRequest request, HttpServletResponse response) {
String referer = request.getHeader("referer");
// TODO Redirect to referer only if whitelisted
response.sendRedirect(referer);
}
}The code has been annotated with some TODO comments to give some clues on how to fix the vulnerability.
In order to solve a challenge, fix the vulnerable code and run the tests using Maven:
➜ appsec-validation-redirect git:(challenges) mvn clean testIf the code is still vulnerable, some errors will be displayed when running the tests:
...
[ERROR] Failures:
[ERROR] AuthControllerTest.shouldLogoutAndNotRedirectToNonWhitelistedReferrers:69
Expecting:
<302>
to be equal to:
<200>
but was not.
[ERROR] AuthControllerTest.shouldLogoutAndNotRedirectToNonWhitelistedReferrers:69
Expecting:
<302>
to be equal to:
<200>
but was not.
[ERROR] AuthControllerTest.shouldLogoutAndNotRedirectToNonWhitelistedReferrers:69
Expecting:
<302>
to be equal to:
<200>
but was not.
[ERROR] AuthControllerTest.shouldLogoutAndNotRedirectToNonWhitelistedReferrers:69
Expecting:
<302>
to be equal to:
<200>
but was not.
[ERROR] AuthControllerTest.shouldLogoutAndNotRedirectToNonWhitelistedReferrers:69
Expecting:
<302>
to be equal to:
<200>
but was not.
[ERROR] Errors:
[ERROR] AuthControllerTest.shouldLogoutAndNotRedirectToNonWhitelistedReferrers:67 » IllegalArgument
[INFO]
[ERROR] Tests run: 10, Failures: 5, Errors: 1, Skipped: 0
...On the other hand, if the vulnerability is fixed, all tests will be green and the module will be built successfully:
[INFO] -------------------------------------------------------
[INFO] T E S T S
[INFO] -------------------------------------------------------
[INFO] Running internal.appsec.validation.redirect.controller.AuthControllerTest
19:43:00.066 [main] WARN internal.appsec.validation.redirect.controller.AuthController - [AppSec] Invalid referer header, value http://phishing.external/ does not match whitelist [wikimedia.org, wikipedia.org]
19:43:00.134 [main] WARN internal.appsec.validation.redirect.controller.AuthController - [AppSec] Invalid referer header, value http://phishing.external?referer=https://www.wikimedia.org/ does not match whitelist [wikimedia.org, wikipedia.org]
19:43:00.139 [main] WARN internal.appsec.validation.redirect.controller.AuthController - [AppSec] Invalid referer header, value http://phishing.externalwikimedia.org/ does not match whitelist [wikimedia.org, wikipedia.org]
19:43:00.144 [main] WARN internal.appsec.validation.redirect.controller.AuthController - [AppSec] Invalid referer header, value is not a valid URL. Exception: no protocol:
19:43:00.151 [main] WARN internal.appsec.validation.redirect.controller.AuthController - [AppSec] Invalid referer header, value is not a valid URL. Exception: no protocol:
19:43:00.155 [main] WARN internal.appsec.validation.redirect.controller.AuthController - [AppSec] Invalid referer header, value null is not a valid URL. Exception: null
[INFO] Tests run: 10, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 1.073 s - in internal.appsec.validation.redirect.controller.AuthControllerTest
[INFO]
[INFO] Results:
[INFO]
[INFO] Tests run: 10, Failures: 0, Errors: 0, Skipped: 0
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------If you would like to contribute to this project, feel free to choose any vulnerability and submit a pull request following the same structure of the existing modules:
REAMDE.mdwith some context about the webapp, the vulnerability, how to exploit it, and the secure code challenge- vulnerable webapp in the
challengesbranch - secure webapp in the
masterbranch - set of tests to ensure that the webapp is not vulnerable anymore