Skip to content

Latest commit

 

History

History
136 lines (90 loc) · 4.11 KB

README.md

File metadata and controls

136 lines (90 loc) · 4.11 KB

Datadog ASM sample applications

This repository contains the necessary resources to evaluate Datadog's code security products in the Java ecosystem. There are three applications available:

  • Insecure bank purposely vulnerable banking application where you can find multiple issues like SQLi, LDAPi and others.

  • OWASP benchmark Java test suite designed to evaluate the accuracy, coverage, and speed of automated software vulnerability detection tools.

  • OWASP WebGoat deliberately insecure application that allows interested developers just like you to test vulnerabilities commonly found in Java-based applications that use common and popular open source components.

Prerequisites

The only requirements for the samples are docker and docker-compose.

You will also need a valid Datadog API key in order to submit the discovered vulnerabilities.

Instructions

  1. Clone the repository
git clone [email protected]:DataDog/dd-asm-samples.git
  1. Rename the provided .env.sample file as .env and copy your API key, preferred environment, version and services name prefix
cp .env.sample .env
  1. [Optional] All samples will download the latest release of the java tracer by default, you can override this behaviour by mounting your own jar inside the docker-compose.yml file:
volumes:
  - path to your agent here:/agent/dd-java-agent.jar

Running the samples

This repository provides a shell script run.sh that can be used to start, stop and inspect the logs from the different containers:

  1. start starts one of the provided applications
./run.sh start [insecure-bank|webgoat|benchmark]
  1. logs outputs the logs of the containers
./run.sh logs
  1. stop stops the running application
./run.sh stop

Insecure Bank

Insecure bank can be started with the following shell command:

./run.sh start insecure-bank

After a few minutes the application will be available at http://localhost:8080 and the logs at http://localhost:8181/insecure-bank/, you can start navigating the application in order to discover the different available vulnerabilities.

For example, you can try to log-in using:

  • username: john
  • password: test

And you will have SQLi and LDAPi vulnerabilities available at Datadog (by default application dd-asm-samples-insecure-bank)

Insecure Bank vulnerabilities

You can stop the application by running:

./run.sh stop

Benchmark

The OWASP benchmark can be executed with the following command:

./run.sh start benchmark

After a few minutes the benchmark will have finished and the scorecards will be available at http://localhost:8181/scorecard/.

You will have all the vulnerabilities at Datadog (by default application dd-asm-samples-benchmark)

Benchmark vulnerabilities

You can stop the application by running:

./run.sh stop

WebGoat

WebGoat can be started with the following shell command:

./run.sh start webgoat

After a few minutes the application will be available at http://localhost:8080/WebGoat and the logs at http://localhost:8181/webgoat/, follow the different lessons in order to trigger vulnerabilities.

For example, you can use lesson 5 of SQLi to trigger the vulnerability:

WebGoat lesson 5

You will have SQLi vulnerability available at Datadog (by default application dd-asm-samples-webgoat)

WebGoat vulnerability

You can stop the application by running:

./run.sh stop