Write readme and document getting started guide #13
Comments
preetkaran20
added
documentation
|
updated the readme file, however need to update the contributing guideline. |
|
Update the Readme of this project and also https://owasp.org/www-project-vulnerableapp-facade/ which has github repository: https://github.com/OWASP/www-project-vulnerableapp-facade as they both point to old docker image. |
Updated the docker image links. |
|
Left items in this task:
|
|
Hi, I can help with this. Can you tell me where I can find whatever information is required to do this documentation? |
|
Hi @lmcdo , Some of the documentations links which are very uptodate: Older references but still hold good information:
Please let me know if you need more context, we can discuss over a call. thanks, |
|
Hi Karan,
Thanks for your reply. I have read through the code, the documentation, the
OWASP website and watched the two videos attached, but I am new to Owasp
and the general Vulnerable apps scene, so currently still trying to
understand it all. I am experienced in fullstack and react. Happy to talk
on a call too.
The items below (I copied the text from the github Issues) I seem to be the
current ones, I think? I am asking everything in a bid to learn as much as
possible, please direct where possible :)
Left items in this task:
1. Creating a document explaining how to onboard a vulnerable
application to the VulnerableApp-facade project.
*Is there any current documentation or references for this? The best I
can guess that this refers to is in the OWASP Spotlight video (see attached
screenshot) where some edits are made to a java file for Title, Description
and Hints.*
2. A new file explaining, how to contribute to the project. This is
needed as we are building the UI in react and might require some
explanation regarding coding structure.
Are there further requirements for this? E.g. Is the current How to
Contribute ok? How much detail would be good for the explanation of Coding
Structure (do you have an example in mind)?
3. Update readme with the project's tech stack.
Is there a model/example for this, or is there a defined place to get
this?
4. Update
https://owasp.org/www-project-vulnerable-web-applications-directory/
project.
Could you please expand on which updates that are needed for this
project?
…On Tue, Jun 7, 2022 at 3:17 AM Karan Preet Singh Sasan < ***@***.***> wrote:
Hi @lmcdo <https://github.com/lmcdo> ,
Some of the documentations links which are very uptodate:
1. Readme for this project
<https://github.com/SasanLabs/VulnerableApp-facade#readme>
2. Owasp Spotlight into
<https://www.youtube.com/watch?v=HRRTrnRgMjs&ab_channel=VandanaVerma>
3. Our thoughts
<https://github.com/SasanLabs/VulnerableApp-facade/wiki/Contract-Schema-Design-for-Vulnerable-Applications-to-register-to-VulnerableApp-facade>
Older references but still hold good information:
1. Older video explaining about initial project
<https://www.youtube.com/watch?v=AjL4B-WwrrA&ab_channel=OwaspVulnerableApp>
2. Older documentation <https://sasanlabs.github.io/VulnerableApp/>
3. Design document
<https://sasanlabs.github.io/VulnerableApp/DesignDocumentation.html>
4. Blog
<https://hussaina-begum.medium.com/an-extensible-vulnerable-application-for-testing-the-vulnerability-scanning-tools-cc98f0d94dbc>
5. https://github.com/SasanLabs/VulnerableApp-jsp and
https://github.com/SasanLabs/VulnerableApp-php depicting how any
vulnerable application can leverage the VulnerableApp-facade.
Please let me know if you need more context, we can discuss over a call.
thanks,
Karan
—
Reply to this email directly, view it on GitHub
<#13 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA7OJ4OZMSUQCMQS752HGJDVNYXA7ANCNFSM434NAVYA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Hi @lmcdo, On pointer 1, the way we configure a vulnerable app is via a json contract and you can find the contract details in https://github.com/SasanLabs/VulnerableApp-facade/wiki/Contract-Schema-Design-for-Vulnerable-Applications-to-register-to-VulnerableApp-facade. Also you can look into https://github.com/SasanLabs/VulnerableApp-facade/blob/main/nginx.conf and https://github.com/SasanLabs/VulnerableApp-facade/blob/main/lua-modules/vulnerableapp_utility.lua on how we configured 3 vulnerable apps. On pointer 2, I think current structure has issues in explaining the ways to debug/local setup, we need a document or a video explaining, how to configure or remove one app under the vulnerable app facade etc in order to just run the application as well as in order to develop or enhance it. On pointer 3, we just need to tell about the react version we are using in readme as well as npm version. We can also include a video detail explaining how the entire architecture of application is build etc if possible. Pointer 4, we can ignore. Thanks, |
|
Hi Karan,
I suppose I have not had enough exposure to the use cases of vulnerability
testing and scanning to fully understand this use case! I read a lot more
around this but can't resolve it. I would have thought that a vulnerable
app was an app, e.g. a web app with its own features and purpose which has
either known or unknown security weaknesses. But here, OWASP Vulnerability
App is something to fix/diagnose such a vulnerable app, not a vulnerable
app itself, so it is ambiguous. I don't understand the relation between
the OWASP Vulnerability app, the testing scanner and a sample
vulnerability, or the process and reasoning of how the json file
configuration works (together, possibly, with the java code editing (in the
OWAP Spotlight video). Sorry about that. I would be able to help if I could
some more basic orientation, thanks for any info.
…On Wed, Jun 8, 2022 at 3:14 AM Karan Preet Singh Sasan < ***@***.***> wrote:
Hi @lmcdo <https://github.com/lmcdo>,
On pointer 1, the way we configure a vulnerable app is via a json contract
and you can find the contract details in
https://github.com/SasanLabs/VulnerableApp-facade/wiki/Contract-Schema-Design-for-Vulnerable-Applications-to-register-to-VulnerableApp-facade.
Also you can look into
https://github.com/SasanLabs/VulnerableApp-facade/blob/main/nginx.conf
and
https://github.com/SasanLabs/VulnerableApp-facade/blob/main/lua-modules/vulnerableapp_utility.lua
on how we configured 3 vulnerable apps.
On pointer 2, I think current structure has issues in explaining the ways
to debug/local setup, we need a document or a video explaining, how to
configure or remove one app under the vulnerable app facade etc in order to
just run the application as well as in order to develop or enhance it.
On pointer 3, we just need to tell about the react version we are using in
readme as well as npm version. We can also include a video detail
explaining how the entire architecture of application is build etc if
possible.
Pointer 4, we can ignore.
Thanks,
Karan
—
Reply to this email directly, view it on GitHub
<#13 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA7OJ4LRMVB4BPCA37X4XYTVN57O5ANCNFSM434NAVYA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Hi @lmcdo, I think the best way to discuss all these points is over the call. I work in IST timezone till 10 PM IST, so let me know when can we connect? Happy to connect today as well. thanks, |
|
Right, I am AEST, Sydney Australia, it's 9 pm here now.
Possibly my tomorrow 5pm your 12.30 pm?
…On Sun, Jun 12, 2022 at 9:02 PM Karan Preet Singh Sasan < ***@***.***> wrote:
Hi @lmcdo <https://github.com/lmcdo>,
I think the best way to discuss all these points is over the call. I work
in IST timezone till 10 PM IST, so let me know when can we connect? Happy
to connect today as well.
thanks,
Karan
—
Reply to this email directly, view it on GitHub
<#13 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA7OJ4KIBFFL34YOKLQEWBLVOW7TXANCNFSM434NAVYA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@lmcdo Sure works for me, please schedule a meeting on google meet. My email address is: thanks, |
|
sorry, use this one,
this link is for tomorrow 12.30 IST
https://meet.google.com/nez-imjd-fbv
<https://www.google.com/url?q=https://meet.google.com/nez-imjd-fbv&sa=D&source=calendar&usd=2&usg=AOvVaw0Fx6RV7hERxlBeOrEPTeUn>
…On Sun, Jun 12, 2022 at 9:19 PM Karan Preet Singh Sasan < ***@***.***> wrote:
@lmcdo <https://github.com/lmcdo> Sure works for me, please schedule a
meeting on google meet. My email address is: ***@***.***
thanks,
Karan
—
Reply to this email directly, view it on GitHub
<#13 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA7OJ4PW7SPIWGQHJXB6XJ3VOXBTRANCNFSM434NAVYA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Hi Karan,
Creating a document explaining how to onboard a vulnerable application to
the VulnerableApp-facade project.
1. I find I still don't have a clue as to the test scanner use case :(
Downloading and running the Facade project is easy enough, and I see that
docker compose downloads and gets the Vulnerable App, plus jsp and php
versions, and then populates the UI. But how is this useful for "testing a
test scanner" which you said was the purpose of this VulnerableApp Facade?
How to use the Levels in this process? There is no clue in the
documentation.
2. The end user (test scanner dev, security/testing student) will want to
edit their own app vulnerabilities, but these files need to go in the
docker container, and that is why the Readme currently says "make a copy of
docker.compose.yml" in order to deploy the changes that the user makes to
their own code. Should the onboarding document provide a description of the
preferred docker process?
On Sun, Jun 12, 2022 at 10:04 PM lawrence mcdonell <
***@***.***> wrote:
… sorry, use this one,
this link is for tomorrow 12.30 IST
https://meet.google.com/nez-imjd-fbv
<https://www.google.com/url?q=https://meet.google.com/nez-imjd-fbv&sa=D&source=calendar&usd=2&usg=AOvVaw0Fx6RV7hERxlBeOrEPTeUn>
On Sun, Jun 12, 2022 at 9:19 PM Karan Preet Singh Sasan <
***@***.***> wrote:
> @lmcdo <https://github.com/lmcdo> Sure works for me, please schedule a
> meeting on google meet. My email address is: ***@***.***
>
> thanks,
> Karan
>
> —
> Reply to this email directly, view it on GitHub
> <#13 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AA7OJ4PW7SPIWGQHJXB6XJ3VOXBTRANCNFSM434NAVYA>
> .
> You are receiving this because you were mentioned.Message ID:
> ***@***.***>
>
|
|
Hi @lmcdo ,
[Karan]
[Karan] |
|
Hi Karan,
Since there is java code in any new vulnerability implementation (is this
the "business logic" that you mention at 10:45 on the spotlight video you
sent me?) required in SampleVulnerability.java
(GenericVulnerabilityResponseBean) required in order to demonstrate
onboarding a new vulnerability, I'm not competent for this task, being a
frontend developer. sorry
…On Sat, Jun 18, 2022 at 9:27 PM Karan Preet Singh Sasan < ***@***.***> wrote:
Hi @lmcdo <https://github.com/lmcdo> ,
—
Reply to this email directly, view it on GitHub
<#13 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA7OJ4OW576GHP3JTW3MAZTVPWXCHANCNFSM434NAVYA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@lmcdo Thanks for all the inputs and hardwork you did for this task. Shall i unassign this task? thanks, |
|
yes no worries
…On Tue, Jun 21, 2022 at 3:13 AM Karan Preet Singh Sasan < ***@***.***> wrote:
@lmcdo <https://github.com/lmcdo> Thanks for all the inputs and hardwork
you did for this task. Shall i unassign this task?
thanks,
Karan
—
Reply to this email directly, view it on GitHub
<#13 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA7OJ4MOIF4XYDFYWHFFZUTVQCRDJANCNFSM434NAVYA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
While discussing with @nowakkamil found that we are missing readme details and documentation so need to add it.
The text was updated successfully, but these errors were encountered: