This repo contain one self modified java springboot application and some security testing classes which will help to see how contrast caught and monitor vulnerabilities and attacks.
Prerequiste: a) Need Contrast account free or paid --> which will give api key, service key, url etc. b) Docker desktop c) Kubernetes cluster - minikube or kubeadm (if need to test on k8)
******** Steps for Instrumenting contrast into base image (Dockerfile) *************
- Add below steps in your base image Dockefile:
- Use an official OpenJDK runtime as a parent image FROM openjdk:8-jre-alpine
-> Copy the required agent files from the official Contrast agent image
COPY --from=contrast/agent-java:latest /contrast/contrast-agent.jar /opt/contrast/contrast.jar
-> Copy the Contrast configuration file to the container
COPY contrast_security.yaml /opt/contrast/contrast_security.yaml
-> Set the environment variable for Contrast agent options
ENV CONTRAST_OPTS="-javaagent:/opt/contrast/contrast.jar -Dcontrast.config.path=/opt/contrast/contrast_security.yaml"
-> Set Java tool options to include the Contrast agent options
ENV JAVA_TOOL_OPTIONS="$CONTRAST_OPTS"
- Create "Contrast_security.yaml"
api: url: https://ce.contrastsecurity.com/Contrast api_key: jE6---------------FMgu8Opd service_key: CNPX-------IX user_name: agent_f---------------------@tisOrg log: level: DEBUG
3.Run the Container with Correct Environment Variables: Ensure that you pass the necessary environment variables when running the container.
docker run -p 8080:8080
-e CONTRAST__API__URL=https://ce.contrastsecurity.com/Contrast
-e CONTRAST__API__API_KEY=jE6657G8888888ZrCnFMgu8Opd
-e CONTRAST__API__SERVICE_KEY=CNLU9IX
-e CONTRAST__API__USER_NAME=agent_f1c88e2a-6136-****@***sOrg
java-springboot-contrast:v8
4.Access the Vulnerable Endpoints:
Use a browser or a tool like curl to access the endpoints to trigger the vulnerabilities. bash Copy code curl "http://localhost/vulnerable?username=%27%20OR%20%271%27=%271%27" curl "http://localhost:8080/xss?input=<script>alert('XSS')</script>" curl "http://localhost:8080/idor?id=1" curl "http://localhost:8080/cmd?command=ls"
Important Notes Security: Never deploy intentionally vulnerable code in a production environment. Use a separate, isolated environment for security testing. Ethics: Use the knowledge of creating vulnerabilities responsibly. Always have permission to test the systems you are working on.