Skip to content
This repository has been archived by the owner on Apr 20, 2023. It is now read-only.

tomgonzo/stackhawk-snyk-circleci-demo

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

61 Commits

.circleci

.circleci

 
 

db

db

 
 

gradle/wrapper

gradle/wrapper

 
 

src/main

src/main

 
 

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

README.md

README.md

 
 

build.gradle

build.gradle

 
 

docker-compose.yml

docker-compose.yml

 
 

gradlew

gradlew

 
 

gradlew.bat

gradlew.bat

 
 

local-hawk.sh

local-hawk.sh

 
 

openapi.json

openapi.json

 
 

openapi.yaml

openapi.yaml

 
 

scan-rules.conf

scan-rules.conf

 
 

settings.gradle

settings.gradle

 
 

stackhawk-jsv-form-cookie.yml

stackhawk-jsv-form-cookie.yml

 
 

stackhawk-jsv-json-token.yml

stackhawk-jsv-json-token.yml

 
 

stackhawk.yml

stackhawk.yml

 
 

Repository files navigation

A Vulnerable Spring App

Hi I'm The Vulny Spring App, a modern web stack using the latest(-ish) in Java Spring framework technology.
I'm both sophisticated and naïve all while using a best in class web framework.

Ever since my developers implemented some new authorization method types and form handlers, I haven't been feeling very well.

I'm probably due for a thorough checkup using a trusted web application vulnerability scanner.

Will you please scan me?

I recommend OWASP ZAProxy or StackHawk - Powered by ZAP to make sure all of my bugs are diagnosed.

How to start

Build

docker-compose build

Run docker

docker-compose up -d

...or

Build/Run docker

docker-compose up --build -d

The diagnosis

A [ZAP]((https://www.zaproxy.org/) or StackHawk scan should uncover these two nast bugs:

  • SQL Injection via search box. - a%'; insert into item values ((select max(id)+1 from item), 'bad bad description', 'hacker item name'); select * from item where name like '%banan ' union select case when cast(pg_sleep(5) as varchar) > '' then 0 else 1 end, '1', '1'-- ' union select 1, cast(pg_sleep(5) as varchar), '1'--
  • Cross Site Scripting via search box. - <script>alert('hey guy');</script>

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Java 59.3%
  • HTML 39.3%
  • Other 1.4%