Oct 7, 2016
How to implement Web's Hospital
PoC || GTFO: #Docker + #Traefik + #Jenkins + #OWASP — BB 0.8
N.B: [This paper is not].append['Cloud/InfoSec Tutorial/Workshop'].
It should only be considered as a “Spontaneous Prose” of an ongoing journey, about building a bridge between InfoSec and DevOps industries through #SE, #Cloud, #OpenSource and #BugBounty. After all, it’s only full of open-source ideas shared in CC BY-NC 3.0.
Excuse my French, Kudos for challenging.
TL;DR: RedPill below, BluePill by the end
الواجب على الناظر في كتب العلوم، إذا كان غرضه معرفة الحقائق، أن يجعل نفسه خصماً لكل ما ينظر فيه.
Oh hai o/
Let's cut it straight to technical shenanigans.
This PoC is an attempt to implement this wishful aim of InfoSec prevention, as close as *legally* possible to the Code Factory.
make target:
make dry-run:
- 100% Open Source tech legos. Because the 2 muchData 1 API is not my cup of tea.
- It needs to run on cheap servers. Coz I'm a 99% dealing with a lawsuit.
- KISS and lazy coding. Don't judge the dev that I'm not.
- Monitoring, Registry management and image scanning are out of scope, because I need to submit this paper tonight.
make build:
- A vulnerable app,
- A kinda State-Diagram, waterfall-proof \o/
- A kinda KISS Architecture. Yes, containers are floppy disks in my mind.
- And a bunch of files:
user@yogosha:~/code/PoC$ tree
.
├── etc
│ └── traefik.toml <- Load Balancer config
├── Jenkinsfile <- Pipeline as Code
├── LICENSE <- MIT
├── Makefile <- RTFM
├── README.md <- You're reading it
└── src
├── php <- PHP sqli vulnerable
│ ├── debian.png
│ ├── Dockerfile <- Build recipe
│ ├── docker.png
│ ├── index.php <- App Code
│ ├── jenkins.png
│ ├── lamp.jpg
│ ├── owasp.png
│ ├── scaleway.svg
│ ├── star.png
│ └── traefik.png
└── sql
├── production.sql <- Prod Data
└── staging.sql <- Staging Data4 directories, 17 files
Make run:
Get yourself comfortable behind your favorite terminal, and install docker.
Start by cloning the repo, make build Dev environment & make it run:
You should get this webapp running and vulnerable to a SQL Injection.
Happy with it? Let's call our friends, Traefik & Jenkins Pipeline, by running the commands:
docker run -d -p 8666:8080 -p 80:80 -p 443:443 -v /var/run/docker.sock:/var/run/docker.sock -v traefik:/data -v $PWD/etc/traefik.toml:/traefik.toml -v $PWD/conf/acme.json:/acme.json traefik
docker run -p 8080 -d -v /data/jenkins/var/jenkins_home:/var/jenkins_home -v /var/run/docker.sock:/var/run/docker.sock -v $(which docker):/usr/bin/docker -v $(which make):/usr/bin/make --label traefik.backend='jenkins' --label traefik.port='8080' --label traefik.protocol='http' --label traefik.weight='10' --label traefik.frontend.rule='Host:chocobo.yogosha.com'
--label traefik.frontend.passHostHeader='true'
--label traefik.priority='10'
jenkinsci/docker-workflow-demoCreate a new Pipeline project in Jenkins as following:
Congrats. You've run your first DevOpsSec process \o/
The trick:
No tricks. Only code. One file that mimics the initial State Diagram.
In a nutshell, it's only doing what you just did, runs a security test using ZAP on it, then push it to registry. An execution log can be found below.
To sum up:
This is your last chance. After this, there is no turning back. You take the blue pill — the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill — you stay in Wonderland, and I show you how deep the rabbit hole goes. Remember: all I’m offering is the truth. Nothing more.
