How to implement Web's Hospital

PoC || GTFO: #Docker + #Traefik + #Jenkins + #OWASP — BB 0.8

H.A.T
4 min readOct 7, 2016
InfoSec in a wishful nutshell

N.B: [This paper is not].append['Cloud/InfoSec Tutorial/Workshop'].

It should only be considered as a “Spontaneous Prose” of an ongoing journey, about building a bridge between InfoSec and DevOps industries through #SE, #Cloud, #OpenSource and #BugBounty. After all, it’s only full of open-source ideas shared in CC BY-NC 3.0.

Excuse my French, Kudos for challenging.

TL;DR: RedPill below, BluePill by the end

الواجب على الناظر في كتب العلوم، إذا كان غرضه معرفة الحقائق، أن يجعل نفسه خصماً لكل ما ينظر فيه.‫

أبو علي الحسن بن الحسن بن الهيثم

Oh hai o/

Let's cut it straight to technical shenanigans.

This PoC is an attempt to implement this wishful aim of InfoSec prevention, as close as *legally* possible to the Code Factory.

make target:

[About DevOpsSec] Nop, it’s not over yet \o/

make dry-run:

  • 100% Open Source tech legos. Because the 2 muchData 1 API is not my cup of tea.
  • It needs to run on cheap servers. Coz I'm a 99% dealing with a lawsuit.
  • KISS and lazy coding. Don't judge the dev that I'm not.
  • Monitoring, Registry management and image scanning are out of scope, because I need to submit this paper tonight.

make build:

  • A vulnerable app,
  • A kinda State-Diagram, waterfall-proof \o/
Dia is so powerful …
  • A kinda KISS Architecture. Yes, containers are floppy disks in my mind.
… And ugly at the same time #kudos
  • And a bunch of files:
user@yogosha:~/code/PoC$ tree
.
├── etc
│ └── traefik.toml <- Load Balancer config
├── Jenkinsfile <- Pipeline as Code
├── LICENSE <- MIT
├── Makefile <- RTFM
├── README.md <- You're reading it
└── src
├── php <- PHP sqli vulnerable
│ ├── debian.png
│ ├── Dockerfile <- Build recipe
│ ├── docker.png
│ ├── index.php <- App Code
│ ├── jenkins.png
│ ├── lamp.jpg
│ ├── owasp.png
│ ├── scaleway.svg
│ ├── star.png
│ └── traefik.png
└── sql
├── production.sql <- Prod Data
└── staging.sql <- Staging Data
4 directories, 17 files

Make run:

Get yourself comfortable behind your favorite terminal, and install docker.

Start by cloning the repo, make build Dev environment & make it run:

You should get this webapp running and vulnerable to a SQL Injection.

SQLi & FrontEnd Skillz

Happy with it? Let's call our friends, Traefik & Jenkins Pipeline, by running the commands:

Cheshire Cat eating Reblochon in HTTPS
docker run -d -p 8666:8080 -p 80:80 -p 443:443 -v /var/run/docker.sock:/var/run/docker.sock -v traefik:/data -v $PWD/etc/traefik.toml:/traefik.toml -v $PWD/conf/acme.json:/acme.json traefik
The White Rabbit
docker run -p 8080 -d -v  /data/jenkins/var/jenkins_home:/var/jenkins_home -v  /var/run/docker.sock:/var/run/docker.sock -v $(which docker):/usr/bin/docker -v $(which make):/usr/bin/make --label  traefik.backend='jenkins' --label traefik.port='8080' --label  traefik.protocol='http' --label traefik.weight='10' --label traefik.frontend.rule='Host:chocobo.yogosha.com'
--label traefik.frontend.passHostHeader='true'
--label traefik.priority='10'
jenkinsci/docker-workflow-demo

Create a new Pipeline project in Jenkins as following:

As simple as a git clone

Congrats. You've run your first DevOpsSec process \o/

The trick:

No tricks. Only code. One file that mimics the initial State Diagram.

In a nutshell, it's only doing what you just did, runs a security test using ZAP on it, then push it to registry. An execution log can be found below.

To sum up:

BluePill

This is your last chance. After this, there is no turning back. You take the blue pill — the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill — you stay in Wonderland, and I show you how deep the rabbit hole goes. Remember: all I’m offering is the truth. Nothing more.

--

--

H.A.T

InfoSec Kepo ~ Yes, I am a criminal. My crime is that of curiosity. I'm a H. ~ It's not me, it's the #INTJ daemon.