Giter VIP home page Giter VIP logo

demo-netflicks's Introduction

Netflicks: A deliberately insecure .NET Core web application

This is a .NET Core 2.2 demo application, based on https://github.com/LeviHassel/.net-flicks with added vulnerabilities.

Warning: The computer running this application will be vulnerable to attacks, please take appropriate precautions.

The credentials for admin access are [email protected] / p@ssWORD471

Running in Docker

You can run Netflicks within a Docker container, tested on OSX. It uses a separate sql server as specified within docker-compose.yml (you should not need to edit this file). The agent is added automatically during the Docker build process.

  1. Place a .NET specific contrast_security.yaml file into the application's root folder.
  2. Build the Netflicks container image using ./image.sh
  3. Run the containers using docker-compose up

Running in Azure (Azure App Service):

Pre-Requisites

  1. Place a .NET specific contrast_security.yaml file into the application's root folder.
  2. Install Terraform from here: https://www.terraform.io/downloads.html.
  3. Install PyYAML using pip install PyYAML.
  4. Install the Azure cli tools using brew update && brew install azure-cli.
  5. Log into Azure to make sure you cache your credentials using az login.
  6. Edit the variables.tf file (or add a terraform.tfvars) to add your initials, preferred Azure location, app name, server name and environment.
  7. Run terraform init to download the required plugins.
  8. Run terraform plan and check the output for errors.
  9. Run terraform apply to build the infrastructure that you need in Azure, this will output the web address for the application. If you receive a HTTP 503 error when visiting the app then wait 30 seconds for the application to initialize.
  10. Run terraform destroy when you would like to stop the app service and release the resources.

The terraform file will automatically add the Contrast .NET Azure site extension, so you will always get the latest version.

Running automated tests

There is a test script which you can use to reveal all the vulnerabilities which requires node and puppeteer.

  1. Install Node, NPM and Chrome.
  2. From the app folder run npm i puppeteer.
  3. Run BASEURL=https://<your service name>.azurewebsites.net node exercise.js or BASEURL=https://<your service name>.azurewebsites.net DEBUG=true node exercise.js to watch the automated script.

Deploying a new version

If you change the application you should run the Publish option in Visual Studio which will update the content in deploy folder. Zip this up into an archive called deploy.zip.

Vulnerabilities

  1. SQL Injection from "Search" Parameter on "/Movie" page
  2. Cross-Site Scripting from "Email" Parameter on "/Account/ForgotPasswordConfirmation" page
  3. XML External Entity Injection (XXE) from "Biography" Parameter on "/Person/Edit/{n}" page
  4. Path Traversal from "Email" Parameter on "/Account/Login" page
  5. Path Traversal from "PhoneNumber" Parameter on "/Manage/Index" page
  6. OS Command Injection from "Email" Parameter on "/Account/Login" page

demo-netflicks's People

Watchers

 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.