Skip to content

Insecure web application used to test system security controls

License

Notifications You must be signed in to change notification settings

waratek/spiracle

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Spiracle

Spiracle is an insecure web application used to test system security controls.

It can be used to read/write arbitrary files and open network connections. The application is also vulnerable to numerous other vulnerabilities such as:

  • SQL Injection (CWE-89)

  • XSS (CWE-79)

  • CSRF (CWE-352)

  • Path Traversal (CWE-22)

  • Deserialization (CWE-502)

  • and many more…​

Caution
Due to its insecure design, this application should NOT be deployed on an unsecured network or system.

This application has been tested on the following application servers:

  • Apache Tomcat 7.x

  • IBM WebSphere Liberty Core 8.5.5.3

Your mileage may vary with other application servers.

Installation

Tomcat

  • Copy the war file to the $CATALINA_HOME/webapps/ directory.

Liberty Core

  • Ensure that the application war file is extracted to your server’s apps directory:

    $ mkdir ./wlp/usr/servers/defaultServer/apps/spiracle
    $ cd ./wlp/usr/servers/defaultServer/apps/spiracle
    $ jar xvf /path/to/downloaded/spiracle.war
  • Modify server.xml as follows:

    <?xml version="1.0" encoding="UTF-8"?>
    <server description="new server">
      <!-- Enable features -->
      <featureManager>
        <feature>jsp-2.2</feature>
        <feature>Servlet-3.0</feature> <!--(1)-->
      </featureManager>
    
      <webApplication contextRoot="spiracle" location="spiracle"/> <!--(2)-->
      <httpSession idLength="28" /> <!--(3)-->
    
      <httpEndpoint id="defaultHttpEndpoint"
                    host="*" <!--(4)-->
                    httpPort="9080"
                    httpsPort="9443"/>
    </server>
    1. Enable Servlet-3.0 as a feature

    2. Add a webApplication tag referencing Spiracle

    3. Change httpSession parameter length

    4. Add a host attribute

Database setup

If you would like to run the SQL injection tests, the database should be populated as follows. Data files are available in the web applications spiracle/conf/ directory after the spiracle.war file has been deployed and exploded.

Oracle

  1. Ensure that the Oracle Database JDBC Driver (ojdbc6.jar) is installed in the applications WEB-INF/lib/ directory after the spiracle.war file is exploded on first run.

  2. Import the data:

    $ sqlplus SYS/password@//127.0.0.1:1521/XE AS SYSDBA < setupdb_oracle.sql
    Note
    This will create a user test with password test. You should adjust usernames and/or connection URLs dependent on your environment
  3. Configuration parameters for the Oracle JDBC connection are defined in conf/Spiracle.properties:

    c3p0.classname=oracle.jdbc.driver.OracleDriver
    c3p0.url=jdbc:oracle:thin:@localhost:1521:XE
    c3p0.username=test
    c3p0.password=test
Note
It may be necessary to restart your application server after deploying the ojdbc6.jar or updating database configuration.

MySQL

  1. Import the data:

    $ mysql -u root -p test < setupdb_mysql.sql
    Note
    This will create a user test with password test. You should adjust usernames and/or connection URLs dependent on your environment
  2. Configuration parameters for the MySQL JDBC connection are defined in conf/Spiracle.properties:

    c3p0.classname=com.mysql.jdbc.Driver
    c3p0.url=jdbc:jdbc:mysql://localhost:3306/test
    c3p0.username=test
    c3p0.password=test

Running

After deployment, the Spiracle application will be available at:

http://ip:port/spiracle/

Properties file can be overridden when submitting the request by appending the new value to the URL:

&connectionType=c3p0.mysql

Building

Prerequisites:

If you wish to use the database features, ensure that the Oracle database JDBC driver file ojdbc6.jar is available under ./src/main/webapp/WEB-INF/lib

To build the Spiracle Test Application WAR file, run:

$ mvn install -Dversion.webxml=30

or

$ mvn install -Dversion.webxml=25

To clean the build infrastructure, run:

$ mvn clean

The WAR file will be output to:

./target/spiracle.war

License

Copyright 2018 Waratek Ltd.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

About

Insecure web application used to test system security controls

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages