Skip to content
/ bookmark-service Public

A secure spring boot based java service providing an API to store and retrieve browser bookmarks

License

Apache-2.0 license
18 stars 7 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

andifalk/bookmark-service

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits

.mvn/wrapper

.mvn/wrapper

 
 

depcheck

depcheck

 
 

postman

postman

 
 

presentations/devoxx_uk_2021

presentations/devoxx_uk_2021

 
 

sonarqube

sonarqube

 
 

src

src

 
 

zap

zap

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

analyze_sonar.sh

analyze_sonar.sh

 
 

api-docs.json

api-docs.json

 
 

mvnw

mvnw

 
 

mvnw.cmd

mvnw.cmd

 
 

pom.xml

pom.xml

 
 

Repository files navigation

Bookmark Service Application

An insecure spring boot based java service providing an API to store and retrieve browser bookmarks for different users.

  • main branch: The insecure variant of this application with lots of security tests covering several topics of the OWASP Top 10 (2021), and the OWASP ASVS 4.x (only secured via basic authentication and form based login without any authorization checks)

  • secure branch: The secure variant (all security tests should be green). Still using basic authentication and form based login, but including authorization checks.

REST API

This application provides a basic bookmark administration (like in your web browsers).

You may ask for bookmarks of user Bruce Wayne like this:

http :9090/api/bookmarks?userid=c9caa4d1-5ad7-4dd1-8bd1-91b8bc5b9a48 --auth [email protected]:wayne

You could also just try to access bookmarks of another user (which is actually broken authz):

http :9090/api/bookmarks?userid=c9caa4d1-5ad7-4dd1-8bd1-91b8bc5b9a48 --auth [email protected]:banner

Or just ask for the complete list of users (which you usually should not provide to all users!!!)

http :9090/api/users --auth [email protected]:wayne

Security Tests

The security tests include the following types:

  • Unit Test Layer
    • Static Code Analysis using SpotBugs & SonarQube (both using the respective Gradle Plugins)
    • OWASP Dependency Check
    • Security Architecture Tests (using ArchUnit)
    • Input Validation Tests
    • Broken Authentication Tests
  • Integration Test Layer
    • Security Misconfiguration Tests
    • Injection (SQL Injection) Tests
    • Broken Access Control Tests
  • UI/Workflow Layer
    • Dynamic Security Tests using OWASP Zap

Static application security testing

SemGrep

To check the project with the OSS semgrep scanner just perform this command inside the project root folder:

semgrep scan --config auto

SonarQube

To use SonarQube for security analysis the easiest way is the provided docker container. Just follow the Getting Started Guide using the described way using a docker container. Then continue the same guide with Analyzing a Project.

After you have configured the project in SonarQube you can trigger the project analysis by issuing the following command:

./mvnw sonar:sonar -Dsonar.projectKey=PROJECT_KEY 
                             -Dsonar.projectName='PROJECT_NAME' 
                             -Dsonar.host.url=http://localhost:9000 
                             -Dsonar.token=THE_GENERATED_TOKEN

Please replace PROJECT_KEY and PROJECT_TOKEN with your own values.

About

A secure spring boot based java service providing an API to store and retrieve browser bookmarks

Resources

Readme

License

Apache-2.0 license
Activity

Stars

18 stars

Watchers

3 watching

Forks

7 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages