An insecure spring boot based java service providing an API to store and retrieve browser bookmarks for different users.
-
main branch: The insecure variant of this application with lots of security tests covering several topics of the OWASP Top 10 (2021), and the OWASP ASVS 4.x (only secured via basic authentication and form based login without any authorization checks)
-
secure branch: The secure variant (all security tests should be green). Still using basic authentication and form based login, but including authorization checks.
This application provides a basic bookmark administration (like in your web browsers).
You may ask for bookmarks of user Bruce Wayne like this:
http :9090/api/bookmarks?userid=c9caa4d1-5ad7-4dd1-8bd1-91b8bc5b9a48 --auth [email protected]:wayne
You could also just try to access bookmarks of another user (which is actually broken authz):
http :9090/api/bookmarks?userid=c9caa4d1-5ad7-4dd1-8bd1-91b8bc5b9a48 --auth [email protected]:banner
Or just ask for the complete list of users (which you usually should not provide to all users!!!)
http :9090/api/users --auth [email protected]:wayne
The security tests include the following types:
- Unit Test Layer
- Static Code Analysis using SpotBugs & SonarQube (both using the respective Gradle Plugins)
- OWASP Dependency Check
- Security Architecture Tests (using ArchUnit)
- Input Validation Tests
- Broken Authentication Tests
- Integration Test Layer
- Security Misconfiguration Tests
- Injection (SQL Injection) Tests
- Broken Access Control Tests
- UI/Workflow Layer
- Dynamic Security Tests using OWASP Zap
To check the project with the OSS semgrep scanner just perform this command inside the project root folder:
semgrep scan --config auto
To use SonarQube for security analysis the easiest way is the provided docker container. Just follow the Getting Started Guide using the described way using a docker container. Then continue the same guide with Analyzing a Project.
After you have configured the project in SonarQube you can trigger the project analysis by issuing the following command:
./mvnw sonar:sonar -Dsonar.projectKey=PROJECT_KEY
-Dsonar.projectName='PROJECT_NAME'
-Dsonar.host.url=http://localhost:9000
-Dsonar.token=THE_GENERATED_TOKEN
Please replace PROJECT_KEY and PROJECT_TOKEN with your own values.