Java Spring Vulny is a simple application that combines the power and sophistication of the Spring framework with some homegrown naïveté. Its purpose is to provide a target for web application security test scanners such as OWASP ZAProxy and StackHawk.
docker-compose builddocker-compose up -d./gradlew --no-daemon buildjava -Djava.security.egd=file:/dev/./urandom -jar build/libs/java-spring-vuly-0.1.0.jarOnce the app starts up, you can reach it at https://localhost:9000.
You can log in to the application with the following credentials:
username: user
password: password
| URL | Description |
|---|---|
| https://localhost:9000 | Home page |
| https://localhost:9000/openapi | The OpenAPI specification for this app |
| https://localhost:9000/openapi.yaml | The OpenAPI spec in YAML format |
| https://localhost:9000/swagger-ui.html | The Swagger doc for the OpenAPI spec |
A ZAP or StackHawk scan should uncover these bugs:
| Bug | Example |
|---|---|
| SQL Injection via search box | a%'; insert into item values (999, 'bad bad description', 'hacker item name'); select * from item where name like '%banan |
| Cross Site Scripting via search box | <script>alert('hey guy');</script> |
The following examples will run HawkScan against the JavaSpringVulny app running on localhost and port 9000, which is the default setup. The StackHawk configuration files are already present in this repository.
You should create a new application in the StackHawk app to collect data from these scans. The following environment variables are required for these scans to work:
API_KEY: Your StackHawk API keyAPP_ID: The application ID from the StackHawk app.
You can optionally include the following variables to customize the scan.
APP_HOST: The host to scan. Default: https://localhost:9000APP_ENV: The application environment. Default: Development
Baseline scan without authentication:
docker run --tty --rm --network host --volume $(pwd):/hawk \
--env API_KEY \
--env APP_ID \
stackhawk/hawkscanScan using web form authentication with a session cookie. See the docs for more information.
docker run --tty --rm --network host --volume $(pwd):/hawk \
--env API_KEY \
--env APP_ID \
stackhawk/hawkscan stackhawk.yml stackhawk.d/stackhawk-auth-form-cookie.ymlScan using an authorization token retrieved by POSTing credentials to an API endpoint. See the docs for more information.
docker run --tty --rm --network host --volume $(pwd):/hawk \
--env API_KEY \
--env APP_ID \
stackhawk/hawkscan stackhawk.yml stackhawk.d/stackhawk-auth-json-token.ymlScan using an authorization token extracted by an external script. This method can be useful for third-party authentication systems. See the docs for more information.
docker run --tty --rm --network host --volume $(pwd):/hawk \
--env API_KEY \
--env APP_ID \
stackhawk/hawkscan stackhawk.yml stackhawk.d/stackhawk-auth-external-token.ymlScan using basic authentication, using an external script to derive the correct authorization token. This legacy method is an insecure form of bearer token authentication. See the docs for more information.
export AUTH_TOKEN=$(./scripts/basic-auth.sh)
docker run --tty --rm --network host --volume $(pwd):/hawk \
--env API_KEY \
--env APP_ID \
--env AUTH_TOKEN \
stackhawk/hawkscan stackhawk.yml stackhawk.d/stackhawk-auth-basic.yml