Write readme and document getting started guide

Question

Write readme and document getting started guide

preetkaran20 opened this issue 3 years ago · comments

Karan Preet Singh Sasan commented 3 years ago

While discussing with @nowakkamil found that we are missing readme details and documentation so need to add it.

Karan Preet Singh Sasan · Answer 1 · Sat May 22 2021 13:15:08 GMT+0800 (China Standard Time)

updated the readme file, however need to update the contributing guideline.

Karan Preet Singh Sasan · Answer 2 · Sun May 23 2021 17:29:23 GMT+0800 (China Standard Time)

Update the Readme of this project and also https://owasp.org/www-project-vulnerableapp-facade/ which has github repository: https://github.com/OWASP/www-project-vulnerableapp-facade as they both point to old docker image.

Karan Preet Singh Sasan · Answer 3 · Mon May 24 2021 11:35:55 GMT+0800 (China Standard Time)

Update the Readme of this project and also https://owasp.org/www-project-vulnerableapp-facade/ which has github repository: https://github.com/OWASP/www-project-vulnerableapp-facade as they both point to old docker image.

Updated the docker image links.

Karan Preet Singh Sasan · Answer 4 · Mon May 24 2021 11:43:05 GMT+0800 (China Standard Time)

Left items in this task:

Creating a document explaining how to onboard a vulnerable application to the VulnerableApp-facade project.
A new file explaining, how to contribute to the project. This is needed as we are building the UI in react and might require some explanation regarding coding structure.
Update readme with the project's tech stack.
Update https://owasp.org/www-project-vulnerable-web-applications-directory/ project.

lawrence mcdonell · Answer 5 · Mon Jun 06 2022 14:24:27 GMT+0800 (China Standard Time)

Hi, I can help with this. Can you tell me where I can find whatever information is required to do this documentation?

Karan Preet Singh Sasan · Answer 6 · Tue Jun 07 2022 01:16:48 GMT+0800 (China Standard Time)

Hi @lmcdo ,

Some of the documentations links which are very uptodate:

Older references but still hold good information:

Older video explaining about initial project
Older documentation
Design document
Blog
https://github.com/SasanLabs/VulnerableApp-jsp and https://github.com/SasanLabs/VulnerableApp-php depicting how any vulnerable application can leverage the VulnerableApp-facade.

Please let me know if you need more context, we can discuss over a call.

thanks,
Karan

lawrence mcdonell · Answer 7 · Tue Jun 07 2022 19:37:01 GMT+0800 (China Standard Time)

Hi Karan, Thanks for your reply. I have read through the code, the documentation, the OWASP website and watched the two videos attached, but I am new to Owasp and the general Vulnerable apps scene, so currently still trying to understand it all. I am experienced in fullstack and react. Happy to talk on a call too. The items below (I copied the text from the github Issues) I seem to be the current ones, I think? I am asking everything in a bid to learn as much as possible, please direct where possible :) Left items in this task: 1. Creating a document explaining how to onboard a vulnerable application to the VulnerableApp-facade project. *Is there any current documentation or references for this? The best I can guess that this refers to is in the OWASP Spotlight video (see attached screenshot) where some edits are made to a java file for Title, Description and Hints.* 2. A new file explaining, how to contribute to the project. This is needed as we are building the UI in react and might require some explanation regarding coding structure. Are there further requirements for this? E.g. Is the current How to Contribute ok? How much detail would be good for the explanation of Coding Structure (do you have an example in mind)? 3. Update readme with the project's tech stack. Is there a model/example for this, or is there a defined place to get this? 4. Update https://owasp.org/www-project-vulnerable-web-applications-directory/ project. Could you please expand on which updates that are needed for this project?

…

On Tue, Jun 7, 2022 at 3:17 AM Karan Preet Singh Sasan < ***@***.***> wrote: Hi @lmcdo <https://github.com/lmcdo> , Some of the documentations links which are very uptodate: 1. Readme for this project <https://github.com/SasanLabs/VulnerableApp-facade#readme> 2. Owasp Spotlight into <https://www.youtube.com/watch?v=HRRTrnRgMjs&ab_channel=VandanaVerma> 3. Our thoughts <https://github.com/SasanLabs/VulnerableApp-facade/wiki/Contract-Schema-Design-for-Vulnerable-Applications-to-register-to-VulnerableApp-facade> Older references but still hold good information: 1. Older video explaining about initial project <https://www.youtube.com/watch?v=AjL4B-WwrrA&ab_channel=OwaspVulnerableApp> 2. Older documentation <https://sasanlabs.github.io/VulnerableApp/> 3. Design document <https://sasanlabs.github.io/VulnerableApp/DesignDocumentation.html> 4. Blog <https://hussaina-begum.medium.com/an-extensible-vulnerable-application-for-testing-the-vulnerability-scanning-tools-cc98f0d94dbc> 5. https://github.com/SasanLabs/VulnerableApp-jsp and https://github.com/SasanLabs/VulnerableApp-php depicting how any vulnerable application can leverage the VulnerableApp-facade. Please let me know if you need more context, we can discuss over a call. thanks, Karan — Reply to this email directly, view it on GitHub <#13 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA7OJ4OZMSUQCMQS752HGJDVNYXA7ANCNFSM434NAVYA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Karan Preet Singh Sasan · Answer 8 · Wed Jun 08 2022 01:14:10 GMT+0800 (China Standard Time)

Hi @lmcdo,

On pointer 1, the way we configure a vulnerable app is via a json contract and you can find the contract details in https://github.com/SasanLabs/VulnerableApp-facade/wiki/Contract-Schema-Design-for-Vulnerable-Applications-to-register-to-VulnerableApp-facade. Also you can look into https://github.com/SasanLabs/VulnerableApp-facade/blob/main/nginx.conf and https://github.com/SasanLabs/VulnerableApp-facade/blob/main/lua-modules/vulnerableapp_utility.lua on how we configured 3 vulnerable apps.

On pointer 2, I think current structure has issues in explaining the ways to debug/local setup, we need a document or a video explaining, how to configure or remove one app under the vulnerable app facade etc in order to just run the application as well as in order to develop or enhance it.

On pointer 3, we just need to tell about the react version we are using in readme as well as npm version. We can also include a video detail explaining how the entire architecture of application is build etc if possible.

Pointer 4, we can ignore.

Thanks,
Karan

lawrence mcdonell · Answer 9 · Sun Jun 12 2022 18:45:03 GMT+0800 (China Standard Time)

Hi Karan, I suppose I have not had enough exposure to the use cases of vulnerability testing and scanning to fully understand this use case! I read a lot more around this but can't resolve it. I would have thought that a vulnerable app was an app, e.g. a web app with its own features and purpose which has either known or unknown security weaknesses. But here, OWASP Vulnerability App is something to fix/diagnose such a vulnerable app, not a vulnerable app itself, so it is ambiguous. I don't understand the relation between the OWASP Vulnerability app, the testing scanner and a sample vulnerability, or the process and reasoning of how the json file configuration works (together, possibly, with the java code editing (in the OWAP Spotlight video). Sorry about that. I would be able to help if I could some more basic orientation, thanks for any info.

…

On Wed, Jun 8, 2022 at 3:14 AM Karan Preet Singh Sasan < ***@***.***> wrote: Hi @lmcdo <https://github.com/lmcdo>, On pointer 1, the way we configure a vulnerable app is via a json contract and you can find the contract details in https://github.com/SasanLabs/VulnerableApp-facade/wiki/Contract-Schema-Design-for-Vulnerable-Applications-to-register-to-VulnerableApp-facade. Also you can look into https://github.com/SasanLabs/VulnerableApp-facade/blob/main/nginx.conf and https://github.com/SasanLabs/VulnerableApp-facade/blob/main/lua-modules/vulnerableapp_utility.lua on how we configured 3 vulnerable apps. On pointer 2, I think current structure has issues in explaining the ways to debug/local setup, we need a document or a video explaining, how to configure or remove one app under the vulnerable app facade etc in order to just run the application as well as in order to develop or enhance it. On pointer 3, we just need to tell about the react version we are using in readme as well as npm version. We can also include a video detail explaining how the entire architecture of application is build etc if possible. Pointer 4, we can ignore. Thanks, Karan — Reply to this email directly, view it on GitHub <#13 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA7OJ4LRMVB4BPCA37X4XYTVN57O5ANCNFSM434NAVYA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Karan Preet Singh Sasan · Answer 10 · Sun Jun 12 2022 19:02:08 GMT+0800 (China Standard Time)

Hi @lmcdo,

I think the best way to discuss all these points is over the call. I work in IST timezone till 10 PM IST, so let me know when can we connect? Happy to connect today as well.

thanks,
Karan

lawrence mcdonell · Answer 11 · Sun Jun 12 2022 19:12:12 GMT+0800 (China Standard Time)

Right, I am AEST, Sydney Australia, it's 9 pm here now. Possibly my tomorrow 5pm your 12.30 pm?

…

On Sun, Jun 12, 2022 at 9:02 PM Karan Preet Singh Sasan < ***@***.***> wrote: Hi @lmcdo <https://github.com/lmcdo>, I think the best way to discuss all these points is over the call. I work in IST timezone till 10 PM IST, so let me know when can we connect? Happy to connect today as well. thanks, Karan — Reply to this email directly, view it on GitHub <#13 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA7OJ4KIBFFL34YOKLQEWBLVOW7TXANCNFSM434NAVYA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Karan Preet Singh Sasan · Answer 12 · Sun Jun 12 2022 19:19:10 GMT+0800 (China Standard Time)

@lmcdo Sure works for me, please schedule a meeting on google meet. My email address is: preetkaran20@gmail.com

thanks,
Karan

lawrence mcdonell · Answer 13 · Sun Jun 12 2022 20:04:46 GMT+0800 (China Standard Time)

sorry, use this one, this link is for tomorrow 12.30 IST https://meet.google.com/nez-imjd-fbv <https://www.google.com/url?q=https://meet.google.com/nez-imjd-fbv&sa=D&source=calendar&usd=2&usg=AOvVaw0Fx6RV7hERxlBeOrEPTeUn>

…

On Sun, Jun 12, 2022 at 9:19 PM Karan Preet Singh Sasan < ***@***.***> wrote: @lmcdo <https://github.com/lmcdo> Sure works for me, please schedule a meeting on google meet. My email address is: ***@***.*** thanks, Karan — Reply to this email directly, view it on GitHub <#13 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA7OJ4PW7SPIWGQHJXB6XJ3VOXBTRANCNFSM434NAVYA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

lawrence mcdonell · Answer 14 · Wed Jun 15 2022 15:08:58 GMT+0800 (China Standard Time)

Hi Karan, Creating a document explaining how to onboard a vulnerable application to the VulnerableApp-facade project. 1. I find I still don't have a clue as to the test scanner use case :( Downloading and running the Facade project is easy enough, and I see that docker compose downloads and gets the Vulnerable App, plus jsp and php versions, and then populates the UI. But how is this useful for "testing a test scanner" which you said was the purpose of this VulnerableApp Facade? How to use the Levels in this process? There is no clue in the documentation. 2. The end user (test scanner dev, security/testing student) will want to edit their own app vulnerabilities, but these files need to go in the docker container, and that is why the Readme currently says "make a copy of docker.compose.yml" in order to deploy the changes that the user makes to their own code. Should the onboarding document provide a description of the preferred docker process? On Sun, Jun 12, 2022 at 10:04 PM lawrence mcdonell < ***@***.***> wrote:

…

sorry, use this one, this link is for tomorrow 12.30 IST https://meet.google.com/nez-imjd-fbv <https://www.google.com/url?q=https://meet.google.com/nez-imjd-fbv&sa=D&source=calendar&usd=2&usg=AOvVaw0Fx6RV7hERxlBeOrEPTeUn> On Sun, Jun 12, 2022 at 9:19 PM Karan Preet Singh Sasan < ***@***.***> wrote: > @lmcdo <https://github.com/lmcdo> Sure works for me, please schedule a > meeting on google meet. My email address is: ***@***.*** > > thanks, > Karan > > — > Reply to this email directly, view it on GitHub > <#13 (comment)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AA7OJ4PW7SPIWGQHJXB6XJ3VOXBTRANCNFSM434NAVYA> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> >

Karan Preet Singh Sasan · Answer 15 · Sat Jun 18 2022 19:27:19 GMT+0800 (China Standard Time)

Hi @lmcdo ,

I find I still don't have a clue as to the test scanner use case :(
Downloading and running the Facade project is easy enough, and I see that
docker compose downloads and gets the Vulnerable App, plus jsp and php
versions, and then populates the UI. But how is this useful for "testing a
test scanner" which you said was the purpose of this VulnerableApp Facade?
How to use the Levels in this process? There is no clue in the
documentation.

[Karan]
if you go to http://localhost/VulnerabilityDefinitions endpoint, you can see all the vulnerabilities present in the VulnerableApps. So scanners can run against the VulnerableApp and find vulnerabilities and then scanners can compare it with the response from http://localhost/VulnerabilityDefinitions endpoint and see if scanner has found the right vulnerabilities. Please have a look at video https://youtu.be/HRRTrnRgMjs?t=311. The link is from the time where i explain, how Scanners can use VulnerableApp.

The end user (test scanner dev, security/testing student) will want to
edit their own app vulnerabilities, but these files need to go in the
docker container, and that is why the Readme currently says "make a copy of
docker.compose.yml" in order to deploy the changes that the user makes to
their own code. Should the onboarding document provide a description of the
preferred docker process?

[Karan]
Yes, the newer app onboarding should build a docker and update the docker-compose.yml something like we did for our own vulnerable application.
Have a look at point 1 under https://github.com/SasanLabs/VulnerableApp#building-the-project for more information.

lawrence mcdonell · Answer 16 · Mon Jun 20 2022 12:28:06 GMT+0800 (China Standard Time)

Hi Karan, Since there is java code in any new vulnerability implementation (is this the "business logic" that you mention at 10:45 on the spotlight video you sent me?) required in SampleVulnerability.java (GenericVulnerabilityResponseBean) required in order to demonstrate onboarding a new vulnerability, I'm not competent for this task, being a frontend developer. sorry

…

On Sat, Jun 18, 2022 at 9:27 PM Karan Preet Singh Sasan < ***@***.***> wrote: Hi @lmcdo <https://github.com/lmcdo> , — Reply to this email directly, view it on GitHub <#13 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA7OJ4OW576GHP3JTW3MAZTVPWXCHANCNFSM434NAVYA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Karan Preet Singh Sasan · Answer 17 · Tue Jun 21 2022 01:13:14 GMT+0800 (China Standard Time)

@lmcdo Thanks for all the inputs and hardwork you did for this task. Shall i unassign this task?

thanks,
Karan

lawrence mcdonell · Answer 18 · Tue Jun 21 2022 06:55:36 GMT+0800 (China Standard Time)

yes no worries

…

On Tue, Jun 21, 2022 at 3:13 AM Karan Preet Singh Sasan < ***@***.***> wrote: @lmcdo <https://github.com/lmcdo> Thanks for all the inputs and hardwork you did for this task. Shall i unassign this task? thanks, Karan — Reply to this email directly, view it on GitHub <#13 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA7OJ4MOIF4XYDFYWHFFZUTVQCRDJANCNFSM434NAVYA> . You are receiving this because you were mentioned.Message ID: ***@***.***>