sgerlach · sgerlach · Oct 31, 2023 · Oct 31, 2023 · Oct 31, 2023
diff --git a/.github/workflows/kaakaww.yml b/.github/workflows/kaakaww.yml
@@ -6,21 +6,25 @@ name: KAAKAWW
 on:
   # Triggers the workflow on push or pull request events but only for the main branch
   pull_request:
-    branches: [ Main ]
 
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   stackhawk-hawkscan:
+    name: Runs the application and the HawkScan test of the app
     runs-on: ubuntu-latest
     steps:
-      - name: Check out Repo!
+      - name: Checkout code
         uses: actions/checkout@v2
       - name: Build and Run Vulny!
         run: docker-compose build && docker-compose up -d
       - name: HawkScan
-        uses: stackhawk/hawkscan-action@v1.3.2
+        uses: stackhawk/hawkscan-action@v2.0.0
         with:
-          apiKey: ${{ secrets.HAWK_API_TOKEN }}
+          apiKey: ${{ secrets.HAWK_API_KEY }}
+          configurationFiles: stackhawk.d/stackhawk-custom-params.yml stackhawk.d/stackhawk-github-pr.yml
+        env:
+          COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
+          BRANCH_NAME: ${{ github.head_ref }}
diff --git a/Dockerfile b/Dockerfile
@@ -2,7 +2,7 @@ FROM openjdk:11.0.10-jdk-slim
 
 RUN mkdir /javavulny /app
 COPY . /javavulny/
-RUN sed -i 's/localhost\:5432/db\:5432/' /javavulny/src/main/resources/application.properties
+RUN sed -i 's/localhost\:5432/db\:5432/' /javavulny/src/main/resources/application-postgresql.properties
 
 RUN cd /javavulny \
 && ./gradlew --no-daemon build \

diff --git a/src/main/resources/application-postgresql.properties b/src/main/resources/application-postgresql.properties
@@ -0,0 +1,37 @@
+spring.datasource.platform=postgres
+spring.datasource.url=jdbc:postgresql://localhost:5432/postgres
+spring.datasource.username=postgresql
+spring.datasource.password=postgresql
+spring.datasource.driverClassName=org.postgresql.Driver
+spring.jpa.database=POSTGRESQL
+spring.jpa.show_sql=false
+spring.jpa.properties.hibernate.use_sql_comments=false
+spring.jpa.properties.hibernate.format_sql=false
+spring.jpa.properties.hibernate.dialect = org.hibernate.dialect.PostgreSQL81Dialect
+spring.jpa.generate-ddl=true
+spring.jpa.hibernate.ddl-auto=create-drop
+spring.jpa.properties.hibernate.jdbc.lob.non_contextual_creation=true
+logging.level.org.hibernate.SQL=debug
+logging.level.org.hibernate.type=trace
+logging.level.org.hibernate.type.descriptor.sql=trace
+logging.level.org.springframework=info
+logging.level.org.baeldung=info
+
+server.error.whitelabel.enabled=false
+server.error.include-stacktrace=always
+
+server.port=9000
+
+springdoc.api-docs.path=/openapi
+
+server.ssl.key-store-type=PKCS12
+#server.ssl.key-store=classpath:keystore.p12
+server.ssl.key-store=classpath:javavulny.p12
+server.ssl.key-store-password=stackhawk
+server.ssl.key-alias=JavaVulny
+
+payload.startSize=3096
+payload.count=20
+
+management.endpoints.web.exposure.include=*
+management.endpoints.jmx.exposure.include=*
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
@@ -1,43 +1,26 @@
 
-spring.datasource.platform=postgres
-spring.datasource.url=jdbc:postgresql://localhost:5432/postgres
-spring.datasource.username=postgresql
-spring.datasource.password=postgresql
-spring.jpa.database=POSTGRESQL
-spring.jpa.show_sql=false
-spring.jpa.properties.hibernate.use_sql_comments=false
-spring.jpa.properties.hibernate.format_sql=false
-spring.jpa.properties.hibernate.dialect = org.hibernate.dialect.PostgreSQL81Dialect
+spring.datasource.url=jdbc:h2:file:${PWD}/db/vulny;DB_CLOSE_ON_EXIT=FALSE;AUTO_RECONNECT=TRUE
+spring.datasource.username=sa
+spring.datasource.password=password
+spring.datasource.driverClassName=org.h2.Driver
+spring.jpa.database-platform=org.hibernate.dialect.H2Dialect
 spring.jpa.generate-ddl=true
 spring.jpa.hibernate.ddl-auto=create-drop
 spring.jpa.properties.hibernate.jdbc.lob.non_contextual_creation=true
-logging.level.org.hibernate.SQL=debug
-logging.level.org.hibernate.type=trace
-logging.level.org.hibernate.type.descriptor.sql=trace
-logging.level.org.springframework=info
-logging.level.org.baeldung=info
-
-server.error.whitelabel.enabled=false
-server.error.include-stacktrace=always
-
 server.port=9000
 
 springdoc.api-docs.path=/openapi
 
-server.ssl.enabled=false
+server.ssl.enabled = true
 server.ssl.key-store-type=PKCS12
-server.ssl.key-store=classpath:keystore.p12
+#server.ssl.key-store=classpath:keystore.p12
+server.ssl.key-store=classpath:javavulny.p12
 server.ssl.key-store-password=stackhawk
 server.ssl.key-alias=JavaVulny
-server.ssl.protocol=TLS
-server.ssl.enabled-protocols=TLSv1.2
 
 payload.startSize=3096
 payload.count=20
 
-management.endpoints.web.exposure.include=*
-management.endpoints.jmx.exposure.include=*
-
 #large payload testing
 #payload.startSize=2048000
 #payload.count=100
diff --git a/stackhawk.d/active/api1:2019-tennant-check.js b/stackhawk.d/active/api1:2019-tennant-check.js
@@ -0,0 +1,76 @@
+var RISK = 3; // 0: info, 1: low, 2: medium, 3: high
+// StackHawk doesn't display INFO alerts
+var TITLE = "ScottyCo Brewing Custom Tenant Check";
+var DESCRIPTION = `A ScottyCo user was able to obtain information about another user it should not have been able to.
+                    Please see internal WIKI about ScottyCo tenancy checks at
+                    https://example.com/wiki/ssdlc/tennancy`;
+var SOLUTION = "Implement Correct Spring AuthZ Annotation on user object.";
+var REFERENCE = "https://something.that.shows.the.problem.com/OMG";
+var OTHER = "If you run into ploblems, reach out to the security team on slack #appsechalp";
+
+function log(msg) {
+    print("[" + this["zap.script.name"] + "]" + msg);
+}
+
+
+function alert(as, msg, evidence) {
+  as.newAlert()
+    .setPluginId(1000012)
+    .setRisk(RISK)
+    .setName(TITLE)
+    .setDescription(DESCRIPTION)
+    .setEvidence(evidence)
+    .setOtherInfo(OTHER)
+    .setSolution(SOLUTION)
+    .setReference(REFERENCE)
+    .setMessage(msg)
+    .raise();
+
+    }
+
+
+ function scan(as, msg, param, value) {
+
+ }
+
+ function scanNode(as, msg) {
+    var uri = msg.getRequestHeader().getURI();
+
+    log("scanning ", uri);
+
+    // copy requests before using them or bad things
+    msg = msg.cloneRequest();
+
+    var request_header = msg.getRequestHeader();
+    uri = request_header.getURI();
+
+    var path = "";
+    if (uri.getPath() != null && uri.getPath().length() >1) {
+        path = uri.getPath().toString() + "/user";
+    } else {
+        path = "/user";
+    }
+    uri.setPath(path);
+
+    log("scanning 2" + uri);
+
+    request_header.setHeader("Content-Type", "application-json");
+
+    as.sendAndReceive(msg, false, false);
+
+    var response_header = msg.getResponseHeader();
+    var response_body = msg.getResponseBody();
+
+    log("response body: ", response_body);
+    log("response header: ", response_header);
+
+    //check for evidence of problem
+    var evidence_idx = response_body.toString().indexOf("12345678");
+
+    log(msg);
+
+    // Test the response here and make other requests as needed
+    if (response_header.getStatusCode() == 200 && evidence_idx >=0) {
+        alert(as, msg, "12345678");
+    }
+ }