Add xxe apps charts

Add branch to GitHub Action Update certificate issuer Update charts version working java-xxe app Update Ingress Update Ingess url Implementation of templates Java-xxe using template Fix Ingress and Service Add python and php
NeuraLegion · Dec 26, 2023 · e4fb037 · e4fb037
1 parent cb16b77
commit e4fb037
Show file tree

Hide file tree

Showing 18 changed files with 385 additions and 1 deletion.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,7 +4,6 @@ on:
   push:
     branches:
       - main
-      - oleg/dvwp
 
 jobs:
   packages:

diff --git a/charts/java-xxe/Chart.lock b/charts/java-xxe/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: xxe-lab
+  repository: file://../../xxe-lab
+  version: 0.0.1
+digest: sha256:3e3f606aa1fc38c55f88a4f7be4591a74b1f71797f7768d9984385b31860f77c
+generated: "2023-10-09T19:08:04.18085+07:00"
diff --git a/charts/java-xxe/Chart.yaml b/charts/java-xxe/Chart.yaml
@@ -0,0 +1,15 @@
+apiVersion: v2
+name: java-xxe
+description: |
+  Security vulnerability in Java applications that occurs when 
+  an attacker can manipulate the processing of XML input 
+  to include references to external entities.
+type: application
+keywords:
+- java-xxe
+version: 0.0.4
+appVersion: "1.0.0"
+dependencies:
+- name: xxe-lab
+  version: 0.0.1
+  repository: "file://../../xxe-lab"
diff --git a/charts/java-xxe/charts/xxe-lab-0.0.1.tgz b/charts/java-xxe/charts/xxe-lab-0.0.1.tgz
diff --git a/charts/java-xxe/values.yaml b/charts/java-xxe/values.yaml
@@ -0,0 +1,79 @@
+xxe-lab:
+  deployments:
+    - name: attackerserver
+      image: brightsec/java-xxe:attackerserver
+      port: 8888
+      resources:
+        requests:
+          cpu: 50m
+          memory: 128Mi
+        limits:
+          cpu: 150m
+          memory: 512Mi
+      livenessProbe:
+        httpGet:
+          path: /
+          port: 8888
+          scheme: HTTP
+        initialDelaySeconds: 120
+        periodSeconds: 30
+
+    - name: aws-metadata
+      image: brightsec/java-xxe:aws-metadata
+      port: 8111
+      resources:
+        requests:
+          cpu: 50m
+          memory: 128Mi
+        limits:
+          cpu: 150m
+          memory: 512Mi
+      livenessProbe:
+        httpGet:
+          path: /
+          port: 8111
+          scheme: HTTP
+        initialDelaySeconds: 120
+        periodSeconds: 30
+
+    - name: vulnserver
+      image: brightsec/java-xxe:vulnserver
+      # entrypoint: ""
+      port: 8080
+      resources:
+        requests:
+          cpu: 50m
+          memory: 128Mi
+        limits:
+          cpu: 150m
+          memory: 512Mi
+      livenessProbe:
+        httpGet:
+          path: /
+          port: 8080
+          scheme: HTTP
+        initialDelaySeconds: 120
+        periodSeconds: 30
+
+  services:
+    - name: attackerserver
+      port: 8888
+      targetPort: 8888
+
+    - name: aws-metadata
+      port: 8111
+      targetPort: 8111
+
+    - name: vulnserver
+      port: 8080
+      targetPort: 8080
+
+  ingresses:
+    - name: attackerserver
+      port: 8888
+
+    - name: aws-metadata
+      port: 8111
+
+    - name: vulnserver
+      port: 8080
diff --git a/charts/php-xxe/Chart.lock b/charts/php-xxe/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: xxe-lab
+  repository: file://../../xxe-lab
+  version: 0.0.1
+digest: sha256:3e3f606aa1fc38c55f88a4f7be4591a74b1f71797f7768d9984385b31860f77c
+generated: "2023-10-11T11:41:50.6249+07:00"
diff --git a/charts/php-xxe/Chart.yaml b/charts/php-xxe/Chart.yaml
@@ -0,0 +1,14 @@
+apiVersion: v2
+name: php-xxe
+description: |
+  Web application built with PHP that has a vulnerability allowing attackers
+  to exploit XML processing flaws for malicious purposes.
+type: application
+keywords:
+- php-xxe
+version: 0.0.4
+appVersion: "1.0.0"
+dependencies:
+- name: xxe-lab
+  version: 0.0.1
+  repository: "file://../../xxe-lab"
diff --git a/charts/php-xxe/charts/xxe-lab-0.0.1.tgz b/charts/php-xxe/charts/xxe-lab-0.0.1.tgz
diff --git a/charts/php-xxe/values.yaml b/charts/php-xxe/values.yaml
@@ -0,0 +1,78 @@
+xxe-lab:
+  deployments:
+    - name: attackerserver
+      image: brightsec/php-xxe:attackerserver
+      port: 8888
+      resources:
+        requests:
+          cpu: 50m
+          memory: 128Mi
+        limits:
+          cpu: 150m
+          memory: 512Mi
+      livenessProbe:
+        httpGet:
+          path: /
+          port: 8888
+          scheme: HTTP
+        initialDelaySeconds: 120
+        periodSeconds: 30
+
+    - name: aws-metadata
+      image: brightsec/php-xxe:aws-metadata
+      port: 8111
+      resources:
+        requests:
+          cpu: 50m
+          memory: 128Mi
+        limits:
+          cpu: 150m
+          memory: 512Mi
+      livenessProbe:
+        httpGet:
+          path: /
+          port: 8111
+          scheme: HTTP
+        initialDelaySeconds: 120
+        periodSeconds: 30
+
+    - name: vulnserver
+      image: brightsec/php-xxe:vulnserver
+      port: 80
+      resources:
+        requests:
+          cpu: 50m
+          memory: 128Mi
+        limits:
+          cpu: 150m
+          memory: 512Mi
+      livenessProbe:
+        httpGet:
+          path: /
+          port: 80
+          scheme: HTTP
+        initialDelaySeconds: 120
+        periodSeconds: 30
+
+  services:
+    - name: attackerserver
+      port: 8888
+      targetPort: 8888
+
+    - name: aws-metadata
+      port: 8111
+      targetPort: 8111
+
+    - name: vulnserver
+      port: 80
+      targetPort: 80
+
+  ingresses:
+    - name: attackerserver
+      port: 8888
+
+    - name: aws-metadata
+      port: 8111
+
+    - name: vulnserver
+      port: 80
diff --git a/charts/python-xxe/Chart.lock b/charts/python-xxe/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: xxe-lab
+  repository: file://../../xxe-lab
+  version: 0.0.1
+digest: sha256:3e3f606aa1fc38c55f88a4f7be4591a74b1f71797f7768d9984385b31860f77c
+generated: "2023-10-11T11:57:30.763802+07:00"
diff --git a/charts/python-xxe/Chart.yaml b/charts/python-xxe/Chart.yaml
@@ -0,0 +1,14 @@
+apiVersion: v2
+name: python-xxe
+description: |
+  App built with python that has a vulnerability allowing attackers
+  to exploit XML processing flaws for malicious purposes.
+type: application
+keywords:
+- python-xxe
+version: 0.0.4
+appVersion: "1.0.0"
+dependencies:
+- name: xxe-lab
+  version: 0.0.1
+  repository: "file://../../xxe-lab"
diff --git a/charts/python-xxe/charts/xxe-lab-0.0.1.tgz b/charts/python-xxe/charts/xxe-lab-0.0.1.tgz
diff --git a/charts/python-xxe/values.yaml b/charts/python-xxe/values.yaml
@@ -0,0 +1,78 @@
+xxe-lab:
+  deployments:
+    - name: attackerserver
+      image: brightsec/python-xxe:attackerserver
+      port: 8888
+      resources:
+        requests:
+          cpu: 50m
+          memory: 128Mi
+        limits:
+          cpu: 150m
+          memory: 512Mi
+      livenessProbe:
+        httpGet:
+          path: /
+          port: 8888
+          scheme: HTTP
+        initialDelaySeconds: 120
+        periodSeconds: 30
+
+    - name: aws-metadata
+      image: brightsec/python-xxe:aws-metadata
+      port: 8111
+      resources:
+        requests:
+          cpu: 50m
+          memory: 128Mi
+        limits:
+          cpu: 150m
+          memory: 512Mi
+      livenessProbe:
+        httpGet:
+          path: /
+          port: 8111
+          scheme: HTTP
+        initialDelaySeconds: 120
+        periodSeconds: 30
+
+    - name: vulnserver
+      image: brightsec/python-xxe:vulnserver
+      port: 5000
+      resources:
+        requests:
+          cpu: 50m
+          memory: 128Mi
+        limits:
+          cpu: 150m
+          memory: 512Mi
+      livenessProbe:
+        httpGet:
+          path: /
+          port: 5000
+          scheme: HTTP
+        initialDelaySeconds: 120
+        periodSeconds: 30
+
+  services:
+    - name: attackerserver
+      port: 8888
+      targetPort: 8888
+
+    - name: aws-metadata
+      port: 8111
+      targetPort: 8111
+
+    - name: vulnserver
+      port: 5000
+      targetPort: 5000
+
+  ingresses:
+    - name: attackerserver
+      port: 8888
+
+    - name: aws-metadata
+      port: 8111
+
+    - name: vulnserver
+      port: 5000
diff --git a/xxe-lab/Chart.yaml b/xxe-lab/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v2
+name: xxe-lab
+description: Helm chart for XXE lab deployments
+version: 0.0.1
+appVersion: "1.0.0"
diff --git a/xxe-lab/templates/deployment.yaml b/xxe-lab/templates/deployment.yaml
@@ -0,0 +1,35 @@
+{{- range .Values.deployments }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ $.Release.Name }}-{{ .name }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    app: {{ $.Release.Name }}-{{ .name }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ $.Release.Name }}-{{ .name }}
+  template:
+    metadata:
+      labels:
+        app: {{ $.Release.Name }}-{{ .name }}
+    spec:
+      containers:
+        - name: app
+          image: {{ .image }}
+          imagePullPolicy: Always
+          securityContext:
+            {{- if eq .name "vulnserver" }}
+            capabilities:
+              add:
+                - NET_ADMIN
+            {{- end }}
+          ports:
+            - containerPort: {{ .port }} 
+          resources:
+          {{ toYaml .resources | nindent 12 }}
+          livenessProbe:
+          {{ toYaml .livenessProbe | nindent 12 }}
+{{- end }}
diff --git a/xxe-lab/templates/ingress.yaml b/xxe-lab/templates/ingress.yaml
@@ -0,0 +1,31 @@
+{{- range .Values.ingresses }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $.Release.Name }}-{{ .name }}
+  namespace: {{ $.Release.Namespace }}
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/proxy-ssl-protocols: "TLSv1.1 TLSv1.2"
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    {{ if eq $.Values.ingress.cert "" }}
+    cert-manager.io/cluster-issuer: letsencrypt-cf-prod
+    {{ end }}
+spec:
+  tls:
+    - hosts:
+        - {{ $.Release.Name }}{{ if eq .name "vulnserver" }}{{ else }}-{{ .name }}{{ end }}.{{ $.Values.ingress.url }}
+      secretName: {{ if eq $.Values.ingress.cert "" }}distributorwildcard{{ else }}{{ $.Values.ingress.cert }}{{ end }}
+  rules:
+    - host: {{ $.Release.Name }}{{ if eq .name "vulnserver" }}{{ else }}-{{ .name }}{{ end }}.{{ $.Values.ingress.url }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ $.Release.Name }}-{{ .name }}
+                port:
+                  number: {{ .port }}
+{{- end }}
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,7 +4,6 @@ on: @@
       push:
         branches:
           - main
-          - oleg/dvwp
     jobs:
       packages:
@@ Expand Down @@