Skip to content

airlock/microgateway-juiceshop

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Microgateway Demo: Juiceshop

This repository contains and describes an example setup of the OWASP Juice-Shop as a vulnerable backend that can be protected using the Web Application and API Protection Solution Airlock Microgateway.

Setup Overview

To deploy this example, you need a K8s cluster of your choice.

To test the deployment and configuration, you can use a browser or curl from a command line.

Alternatively, we provide commands that spawn a pod to execute curl requests from within the cluster, if you want to test with solely cluster internal traffic.

Deploy Airlock Microgateway

See Quick start guide below.

Vulnerable Web App: Juice Shop Deployment

The example creates:

kubectl apply -k juice-shop/

Attack the juice shop to verify vulnerabilty.

Screen recording "Attack the unprotected Juice Shop":

attack-the-unprotected-juice-shop.mov

Protect Web App: Airlock Microgateway Configuration

Apply the Airlock Microgateway configuration custom resources for the Juice Shop deployment.

The configuration includes the following resources:

  • SidecarGateway : Link between the protected application and Airlock Microgateway
  • ContentSecurity : Specifies the options to secure an upstream web application with a Microgateway Engine container
  • DenyRules : Block malicious requests to upstream web applications
  • HeaderRewrites : Header filtering/rewriting
kubectl apply -k microgateway-configuration/

Add the label sidecar.microgateway.airlock.com/inject=true to the Juice Shop deployment so that the previously deployed Airlock Microgateway Operator injects a Microgateway Engine sidecar.

kubectl patch deployment juice-shop -p '{"spec": {"template": {"metadata": {"labels": {"sidecar.microgateway.airlock.com/inject":"true"}}}}}' -n=juice-shop

Wait until the deployment juice-shop is rolled out with the Microgateway Sidecar injected.

kubectl rollout status deployment juice-shop -n=juice-shop

Note: The patch command is used for demonstration purposes. It is recommended to add this label to the deployment resource file when managing applications on production.

Attack the juice shop to verify protection.

Screen recording "Attack the protected Juice Shop":

attack-the-protected-juice-shop.mov

Web app attack: SQL Injection Example

Failed normal login

Trying to login as user admin with any password results in an "Invalid email or password" error.

Option A: Browser

Access the Juice Shop in a browser and navigate to Account > Login at the top right.

Try logging in as admin with any password.

'Invalid email or password' without attack payload

Option B: Using curl directly
curl '<hostname>:<port>/rest/user/login' \
  -H 'Content-Type: application/json' \
  --data-raw $'{"email":"admin","password":"test"}'
Option C: Using dedicated pod
kubectl run -n=juice-shop -it --restart=Never --rm curl --image=curlimages/curl -- curl -v juice-shop:3000/rest/user/login -H 'Content-Type: application/json' --data-raw $'{"email":"admin","password":"test"}'

Attack string login

A login as admin into an unprotected Juice Shop is possible via SQL Injection. The following attack string can be used as a username with any password to access the application as the admin user.

admin' or 1=1 --

Without any additional protection in place, this will result in a successful login. After protecting the Juice Shop with the Airlock Microgateway, the same attack will be blocked with "Request blocked: " followed by a UUID.

Hint: Do not forget to logout for subsequent tests, if you were successful.

Option A: Browser

Access the Juice Shop in a browser and navigate to Account > Login at the top right.

Try logging in with username admin' or 1=1 -- and any password.

'Successfully solved a challenge: Login Admin' when using attack payload 'Request blocked' when using attack payload

Option B: Using curl directly
curl '<hostname>:<port>/rest/user/login' \
  -H 'Content-Type: application/json' \
  --data-raw $'{"email":"admin\' or 1=1--","password":"test"}'
Option C: Using curl pod
kubectl run -n=juice-shop -it --restart=Never --rm curl --image=curlimages/curl -- curl -v juice-shop:3000/rest/user/login -H 'Content-Type: application/json' --data-raw $'{"email":"admin\' or 1=1--","password":"test"}'

Documentation and links

Check the official documentation at docs.airlock.com or the product website at airlock.com/microgateway. The links below point out the most interesting documentation sites when starting with Airlock Microgateway.

Quick start guide - Microgateway Operator

Expand for Details

The instructions below provide a quick start guide for a "standard" Kubernetes setup. Setup description for, e.g., OpenShift, as well as detailed information are provided in the manual.

Prerequisites

In order to use Airlock Microgateway you need a license and the cert-manager. You may either request a community license free of charge or purchase a premium license. For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing.

Obtain Airlock Microgateway License

  1. Either request a community or premium license
  2. Check your inbox and save the license file microgateway-license.txt locally.

See Community vs. Premium editions in detail to choose the right license type.

Deploy cert-manager

# Install cert-manager
kubectl apply -k https://github.com/airlock/microgateway/examples/utilities/cert-manager/?ref=4.2.1

# Wait for the cert-manager to be up and running
kubectl -n cert-manager wait --for=condition=ready --timeout=600s pod -l app.kubernetes.io/instance=cert-manager

Deploy Airlock Microgateway CNI

Note: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. Please refer to the Release Readme or the Chapter on Installation in docs.airlock.com

  1. Install the CNI Plugin with Helm.

    # Standard setup
    helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.2.1'
    kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
  2. (Recommended) You can verify the correctness of the installation with helm test.

    # Standard setup
    helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.2.1'
    helm test airlock-microgateway-cni -n kube-system --logs
    helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.2.1'

    Consult our documentation in case of any installation error.

Deploy Airlock Microgateway Operator

This guide assumes a microgateway-license.txt file is present in the working directory.

  1. Install CRDs and Operator.

    # Create namespace
    kubectl create namespace airlock-microgateway-system
    
    # Install License
    kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt
    
    # Install Operator (CRDs are included via the standard Helm 3 mechanism, i.e. Helm will handle initial installation but not upgrades)
    helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.2.1' --wait
  2. (Recommended) You can verify the correctness of the installation with helm test.

    helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.2.1'
    helm test airlock-microgateway -n airlock-microgateway-system --logs
    helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.2.1'

License

View the detailed license terms for the software contained in this image.

  • Decompiling or reverse engineering is not permitted.
  • Using any of the deny rules or parts of these filter patterns outside of the image is not permitted.

Airlock® is a security innovation by ergon

Airlock Secure Access Hub

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published