The Music Store

A demo Music Store with Eclipse Vert.x and RxJava

Welcome
Welcome Page
Album
Album page

Runnning

If you only want to try the application without modifying it, run the build and start the components with docker-compose.

mvn clean package
docker-compose up

When all components are up browse to http://localhost:8080.

Otherwise start each component individually.

The Postgres database

docker run --rm --name musicstore-db -e POSTGRES_USER=music -e POSTGRES_PASSWORD=music -e POSTGRES_DB=musicdb -p 5432:5432 postgres

The MongoDB server

docker run --rm --name musicstore-mongo -p 27017:27017 mongo

Development

  • Do one time build to pull the dependencies mvn clean install

  • To run the application in foreground do mvn vertx:run with redeploy enabled

  • To run the applicaiton in background mode i.e. vertx start do mvn vertx:start

Check vertx-maven-plugin for more information and examples on the plugin.

Useful stuff

Initial dataset

The initial dataset has been created with the initdb.groovy script located at the project root. It parses a Rhythmbox database file and inserts the data into Postgres.

Then it’s easy to create a script for Flyway.

docker exec musicstore-db pg_dump -a --inserts --exclude-table=schema_version -h 127.0.0.1 -U music musicdb > src/main/resources/db/migration/V2__InsertData.sql

Install HDIV Agent

  • Copy agent jar to hdiv/agent folder.

  • Copy Hdiv license to hdiv/conf folder

Vulnerable end-points

SQl Injection

Threre are two sql injection vulnerable endpoints:

Path traversal

There is an endpoint through which you can read remote files on the server. User parameter "filename" to set the path and name of the file to read.

Untrusted deserialization

  • Upload XML files and deserialize with XStream.

  • There are four example RCE payloads in: src/resources/payloadXStreamXXX.xml.

  • You could try it from postman using url: http://localhost:8080/deserialize.

deserialize
headers Page

XXE

  • Upload XML files and map to java objects.

  • There is an example RCE payload in: src/resources/payloadXXE.xml

  • There is an example normal payload in: src/resources/payloadFoo.xml

  • You could try it from postman using url: http://localhost:8080/xxe.

  • The xml can be processed by Jackson or SAX. Use parameter "mapper" with values: custom or jackson.

xxe
headers Page

XPath Injection

Simulate a dummy login process where list of users is in XML. * If endpoint return true, you have access permissions. * If endpoint return false, you don’t have access permissions.

Examples:

Virtual patch

 virtual_patch.attackBlackList.XX={"ip"\:null,"uri"\:null,"headers"\:{"hola"\:"\=\=adios"},"cookies"\:null,"queryString"\:null,"maxRequestNumber"\:0,"windowDurationSeconds"\:1,"appName"\:null,"byteCodePatch"\:false}
 virtual_patch.attackBlackListDesc.XX=MyPatch
headers
headers Page