Spiracle is an insecure web application used to test system security controls.
It can be used to read/write arbitrary files and open network connections. The application is also vulnerable to numerous other vulnerabilities such as:
-
SQL Injection (CWE-89)
-
XSS (CWE-79)
-
CSRF (CWE-352)
-
Path Traversal (CWE-22)
-
Deserialization (CWE-502)
-
and many more…
Caution
|
Due to its insecure design, this application should NOT be deployed on an unsecured network or system. |
This application has been tested on the following application servers:
-
Apache Tomcat 7.x
-
IBM WebSphere Liberty Core 8.5.5.3
Your mileage may vary with other application servers.
-
Download pre-built
spiracle.war
file from the releases page: https://github.com/waratek/spiracle/releases
-
Ensure that the application war file is extracted to your server’s apps directory:
$ mkdir ./wlp/usr/servers/defaultServer/apps/spiracle $ cd ./wlp/usr/servers/defaultServer/apps/spiracle $ jar xvf /path/to/downloaded/spiracle.war
-
Modify
server.xml
as follows:<?xml version="1.0" encoding="UTF-8"?> <server description="new server"> <!-- Enable features --> <featureManager> <feature>jsp-2.2</feature> <feature>Servlet-3.0</feature> <!--(1)--> </featureManager> <webApplication contextRoot="spiracle" location="spiracle"/> <!--(2)--> <httpSession idLength="28" /> <!--(3)--> <httpEndpoint id="defaultHttpEndpoint" host="*" <!--(4)--> httpPort="9080" httpsPort="9443"/> </server>
-
Enable
Servlet-3.0
as a feature -
Add a
webApplication
tag referencing Spiracle -
Change
httpSession
parameter length -
Add a
host
attribute
-
If you would like to run the SQL injection tests, the database should be populated as follows. Data files are available in the web applications spiracle/conf/
directory after the spiracle.war
file has been deployed and exploded.
-
Ensure that the Oracle Database JDBC Driver (ojdbc6.jar) is installed in the applications
WEB-INF/lib/
directory after thespiracle.war
file is exploded on first run. -
Import the data:
$ sqlplus SYS/password@//127.0.0.1:1521/XE AS SYSDBA < setupdb_oracle.sql
NoteThis will create a user test
with passwordtest
. You should adjust usernames and/or connection URLs dependent on your environment -
Configuration parameters for the Oracle JDBC connection are defined in
conf/Spiracle.properties
:c3p0.classname=oracle.jdbc.driver.OracleDriver c3p0.url=jdbc:oracle:thin:@localhost:1521:XE c3p0.username=test c3p0.password=test
Note
|
It may be necessary to restart your application server after deploying the ojdbc6.jar or updating database configuration.
|
-
Import the data:
$ mysql -u root -p test < setupdb_mysql.sql
NoteThis will create a user test
with passwordtest
. You should adjust usernames and/or connection URLs dependent on your environment -
Configuration parameters for the MySQL JDBC connection are defined in
conf/Spiracle.properties
:c3p0.classname=com.mysql.jdbc.Driver c3p0.url=jdbc:jdbc:mysql://localhost:3306/test c3p0.username=test c3p0.password=test
After deployment, the Spiracle application will be available at:
http://ip:port/spiracle/
Properties file can be overridden when submitting the request by appending the new value to the URL:
&connectionType=c3p0.mysql
Prerequisites:
-
Java >= 1.6
-
Apache Maven
-
Oracle Database JDBC Driver (ojdbc6.jar)
If you wish to use the database features, ensure that the Oracle database JDBC driver file ojdbc6.jar
is available under ./src/main/webapp/WEB-INF/lib
To build the Spiracle Test Application WAR file, run:
$ mvn install -Dversion.webxml=30
or
$ mvn install -Dversion.webxml=25
To clean the build infrastructure, run:
$ mvn clean
The WAR file will be output to:
./target/spiracle.war
Copyright 2018 Waratek Ltd. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.