Tuesday, December 16, 2014

Sample JAX-RS web application to test Application servers for basic vulnerabilities

I have created web application[1] which we can use for security tests. With this rest service we can perform basic security tests like file copy, delete, system property read etc. Also added sample Jmeter test case to verify its functionality. You need to deploy this in tenant space and call rest APIs as follows.

[1]https://github.com/sanjeewa-malalgoda/test-apps/tree/master/security-check


Requests should be send with following format:

HTTP GET - Read file (complete file path)
https://test.com/t/xxx.xxx/webapps/security-check/directFile?fileName=repository/conf/axis2/axis2.xml

HTTP POST - Create file (complete file path)
https://test.com/t/xxx.xxx/webapps/security-check/directFile?fileName=repository/conf/axis2/axis2.xml-dummy

HTTP DELETE - Delete file in Server (complete file path)
https://test.com/t/xxx.xxx/webapps/security-check/directFile?fileName=repository/conf/axis2/axis2.xml-dummy

HTTP GET - Read file (file path from carbon server home)
https://test.com/t/xxx.xxx/webapps/security-check/file?fileName=repository/conf/axis2/axis2.xml

HTTP POST - Create file (file path from carbon server home)
https://test.com/t/xxx.xxx/webapps/security-check/file?fileName=repository/conf/axis2/axis2.xml-dummy

HTTP DELETE - Delete file in Server (file path from carbon server home)
https://test.com/t/xxx.xxx/webapps/security-check/file?fileName=repository/conf/axis2/axis2.xml-dummy

HTTP GET - Read system property
https://test.com/t/xxx.xxx/webapps/security-check/systemProperty/java.home

HTTP POST - Copy files in server using carbon Utility methods
https://test.com/t/xxx.xxx/webapps/security-check/fileCopy?source=repository/conf/axis2/axis2.xml&destination=repository/conf/axis2/axis2.xml-dummy

HTTP POST - Delete files in server using carbon Utils
https://test.com/t/xxx.xxx/webapps/security-check/fileDelete?path=repository/conf/axis2/axis2.xml_PT

HTTP POST - Get registryDBConfig as string
https://test.com/t/xxx.xxx/webapps/security-check/registryDBConfig

HTTP POST - Get userManagerDBConfig config as string
https://test.com/t/xxx.xxx/webapps/security-check/userManagerDBConfig

HTTP GET - Get network configs as string
https://test.com/t/xxx.xxx/webapps/security-check/networkConfigs

HTTP GET - Get server configuration as string
https://test.com/t/xxx.xxx/webapps/security-check/serverConfiguration

HTTP POST - Get network configs as string
https://test.com/t/xxx.xxx/webapps/security-check/networkConfigs?hostName=test.org&mgtHostName=test1.org

============Following operations will not be covered using Java security Manager=========
HTTP POST - Generate OOM
https://test.com/t/xxx.xxx/webapps/security-check/memory?operation=oom

HTTP POST - Generate high CPU
https://test.com/t/xxx.xxx/webapps/security-check/memory?operation=cpu

HTTP POST - Generate system call
https://test.com/t/xxx.xxx/webapps/security-check/memory?operation=kill

No comments:

Post a Comment