Code Samples and Test Targets
Overview
See below for code samples and test targets you can use to test Jit's suite of security requirements.
Scan code for vulnerabilities (Python)
File name: test.py
import subprocess
output = subprocess.check_output(f"nslookup2 {my_domain}", shell=True, encoding='UTF-8')
Expected output:
Scan code for vulnerabilities (Javascript)
File name: test.js
document.getElementById('userForm').addEventListener('submit', function(e) {
e.preventDefault();
// This is an unsafe practice and can lead to XSS vulnerabilities
const userInput = document.getElementById('userInput').value;
document.getElementById('content').innerHTML = userInput;
});
Expected output:
Scan code for vulnerabilities (GO)
File name: test.go
package testutil // import "github.com/docker/docker/testutil"
import "math/rand"
// GenerateRandomAlphaOnlyString generates an alphabetical random string with length n.
func GenerateRandomAlphaOnlyString(n int) string {
// make a really long string
letters := []byte("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
b := make([]byte, n)
for i := range b {
b[i] = letters[rand.Intn(len(letters))] //nolint: gosec // G404: Use of weak random number generator (math/rand instead of crypto/rand)
}
return string(b)
}
Expected output:
Scan code dependencies for vulnerabilities (Node)
File name: package.json
{
"name": "dependencygoat2",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC",
"dependencies": {
"minimist": "0.0.8"
}
}
Expected output:
Scan code dependencies for vulnerabilities (Python)
File name: requirements.txt
requests==2.18.2
urllib3==1.26.4
Expected output:
Scan code for hard-coded secrets (Multi-languages)
File name: secret.txt
MY_AWS_SECRET="AKIAIOSFODNN7EXAMPLE"
Expected output:
Scan IaC for static misconfigurations (Terraform)
Code sample: EC2 instance has Public IP
File name: public-ip.tf
//test public ip
data "aws_ami" "ubuntu1" {
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["099720109477"] # Canonical
}
resource "aws_instance" "web2" {
ami = data.aws_ami.ubuntu.id
instance_type = "t3.micro"
tags = {
Name = "HelloWorld"
}
}
resource "aws_instance" "web3" {
ami = data.aws_ami.ubuntu.id
associate_public_ip_address = true
instance_type = "t3.micro"
tags = {
Name = "HelloWorld"
}
}
Expected output:
Code sample: S3 Bucket without restriction of Public Bucket
File Name: public-bucket.tf
//test public bucket
resource "aws_s3_bucket" "positive1" {
bucket = "example"
}
// comment
resource "aws_s3_bucket_public_access_block" "positive2" {
bucket = aws_s3_bucket.example.id
block_public_acls = true
block_public_policy = true
restrict_public_buckets = false
}
resource "aws_s3_bucket_public_access_block" "positive3" {
bucket = aws_s3_bucket.example.id
block_public_acls = true
block_public_policy = true
}
Expected output:
Code sample: ALB listening on HTTP
File Name: alb-http.tf
resource "aws_lb_listener" "listener6" {
load_balancer_arn = aws_lb.test3.arn
port = 80
default_action {
type = "redirect"
redirect {
port = "80"
protocol = "HTTP"
status_code = "HTTP_301"
}
}
}
resource "aws_lb" "test3" {
name = "test123"
load_balancer_type = "application"
subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
internal = true
}
Expected output:
Run a Web Application Scanner / Ensure Your APIs are Secure (ZAP-based security requirements)
Use the following tests to verify that your security requirements based on ZAP (which include Run a Web Application Scanner and Ensure Your APIs are Secure) are functional.
Test target: Google Firing Range
https://www.zaproxy.org/docs/scans/firingrange/
Test target: Google Security Crawl Maze
https://www.zaproxy.org/docs/scans/crawlmaze/
Test target: OWASP Benchmark
https://www.zaproxy.org/docs/scans/benchmark/
Test target: Websites Vulnerable to SSTI
https://www.zaproxy.org/docs/scans/ssti/
Test target: Yahoo Webseclab
Updated about 1 year ago