This repository contains and describes an example setup of the OWASP Juice-Shop as a vulnerable backend that can be protected using the Web Application and API Protection Solution Airlock Microgateway.
To deploy this example, you need a K8s cluster of your choice.
To test the deployment and configuration, you can use a browser or curl from a command line.
Alternatively, we provide commands that spawn a pod to execute curl requests from within the cluster, if you want to test with solely cluster internal traffic.
See Quick start guide below.
The example creates:
- a Deployment with the image from https://hub.docker.com/r/bkimminich/juice-shop
- a NodePort Service for that deployment listening to NodePort 30080
kubectl apply -k juice-shop/
Attack the juice shop to verify vulnerabilty.
- Verify that a normal login fails. You can follow the section on normal login for that.
- Use the SQL Injection vulnerability to gain access, as suggested in the section on the attack payload.
Screen recording "Attack the unprotected Juice Shop":
attack-the-unprotected-juice-shop.mov
Apply the Airlock Microgateway configuration custom resources for the Juice Shop deployment.
The configuration includes the following resources:
- SidecarGateway : Link between the protected application and Airlock Microgateway
- ContentSecurity : Specifies the options to secure an upstream web application with a Microgateway Engine container
- DenyRules : Block malicious requests to upstream web applications
- HeaderRewrites : Header filtering/rewriting
kubectl apply -k microgateway-configuration/
Add the label sidecar.microgateway.airlock.com/inject=true
to the Juice Shop deployment so that the previously deployed Airlock Microgateway Operator injects a Microgateway Engine sidecar.
kubectl patch deployment juice-shop -p '{"spec": {"template": {"metadata": {"labels": {"sidecar.microgateway.airlock.com/inject":"true"}}}}}' -n=juice-shop
Wait until the deployment juice-shop is rolled out with the Microgateway Sidecar injected.
kubectl rollout status deployment juice-shop -n=juice-shop
Note: The patch command is used for demonstration purposes. It is recommended to add this label to the deployment resource file when managing applications on production.
Attack the juice shop to verify protection.
- You can retry the SQL Injection vulnerability suggested in the section on the attack payload and should now receive a Request Blocked message.
Screen recording "Attack the protected Juice Shop":
attack-the-protected-juice-shop.mov
Trying to login as user admin with any password results in an "Invalid email or password" error.
Option A: Browser
Access the Juice Shop in a browser and navigate to Account > Login at the top right.
Try logging in as admin with any password.
Option B: Using curl directly
curl '<hostname>:<port>/rest/user/login' \
-H 'Content-Type: application/json' \
--data-raw $'{"email":"admin","password":"test"}'
Option C: Using dedicated pod
kubectl run -n=juice-shop -it --restart=Never --rm curl --image=curlimages/curl -- curl -v juice-shop:3000/rest/user/login -H 'Content-Type: application/json' --data-raw $'{"email":"admin","password":"test"}'
A login as admin into an unprotected Juice Shop is possible via SQL Injection. The following attack string can be used as a username with any password to access the application as the admin user.
admin' or 1=1 --
Without any additional protection in place, this will result in a successful login. After protecting the Juice Shop with the Airlock Microgateway, the same attack will be blocked with "Request blocked: " followed by a UUID.
Hint: Do not forget to logout for subsequent tests, if you were successful.
Option A: Browser
Access the Juice Shop in a browser and navigate to Account > Login at the top right.
Try logging in with username admin' or 1=1 --
and any password.
Option B: Using curl directly
curl '<hostname>:<port>/rest/user/login' \
-H 'Content-Type: application/json' \
--data-raw $'{"email":"admin\' or 1=1--","password":"test"}'
Option C: Using curl pod
kubectl run -n=juice-shop -it --restart=Never --rm curl --image=curlimages/curl -- curl -v juice-shop:3000/rest/user/login -H 'Content-Type: application/json' --data-raw $'{"email":"admin\' or 1=1--","password":"test"}'
Check the official documentation at docs.airlock.com or the product website at airlock.com/microgateway. The links below point out the most interesting documentation sites when starting with Airlock Microgateway.
Expand for Details
The instructions below provide a quick start guide for a "standard" Kubernetes setup. Setup description for, e.g., OpenShift, as well as detailed information are provided in the manual.
Note: Installing Airlock Microgateway CNI is required for this example. The example configuration is meant for the sidecar data plane mode.
See documentation for more information about data plane modes.
- Airlock Microgateway License
- cert-manager
- helm (>= v3.8.0)
In order to use Airlock Microgateway you need a license and the cert-manager. You may either request a community license free of charge or purchase a premium license. For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing.
- Either request a community or premium license
- Community license: airlock.com/microgateway-community
- Premium license: airlock.com/microgateway-premium
- Check your inbox and save the license file microgateway-license.txt locally.
See Community vs. Premium editions in detail to choose the right license type.
# Add the cert-manager repository and perform a Helm-based installation
helm repo add jetstack https://charts.jetstack.io
helm install cert-manager jetstack/cert-manager --version 'v1.16.1' -n cert-manager --create-namespace --set crds.enabled=true --wait
# Wait for the cert-manager to be up and running
kubectl -n cert-manager wait --for=condition=ready --timeout=600s pod -l app.kubernetes.io/instance=cert-manager
Note: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. Please refer to the Release Readme or the Chapter on Sidecar-based Microgateway installation in docs.airlock.com
-
Install the CNI Plugin with Helm.
# Standard setup helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1' kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni
-
(Recommended) You can verify the correctness of the installation with
helm test
.# Standard setup helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1' helm test airlock-microgateway-cni -n kube-system --logs helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1'
Consult our documentation in case of any installation error.
This guide assumes a microgateway-license.txt file is present in the working directory.
-
Install CRDs and Operator.
# Create namespace kubectl create namespace airlock-microgateway-system # Install License kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt # Install Operator (CRDs are included via the standard Helm 3 mechanism, i.e. Helm will handle initial installation but not upgrades) helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.4.1' --wait
-
(Recommended) You can verify the correctness of the installation with
helm test
.helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.4.1' helm test airlock-microgateway -n airlock-microgateway-system --logs helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.4.1'
View the detailed license terms for the software contained in this image.
- Decompiling or reverse engineering is not permitted.
- Using any of the deny rules or parts of these filter patterns outside of the image is not permitted.
Airlock® is a security innovation by ergon