Test Jit's Detection: Code Samples and Targets
Test out Jit's detection capabilities using the code samples and test targets below.
Scan code for vulnerabilities (Python)
File name: test.py
import yaml
def exploitable_yaml_load(**kwargs):
"""
The string `!!python/object/new:os.system` is a YAML tag that tells the parser
to create a new Python object by calling 'os.system' with 'echo EXPLOIT!' as its argument.
When using 'yaml.unsafe_load', this can lead to arbitrary command execution.
"""
yaml.unsafe_load("!!python/object/new:os.system [echo EXPLOIT!]", **kwargs)
Expected output:
Scan code for vulnerabilities (Javascript)
File name: test.js
document.getElementById('userForm').addEventListener('submit', function(e) {
e.preventDefault();
// This is an unsafe practice and can lead to XSS vulnerabilities
const userInput = document.getElementById('userInput').value;
document.getElementById('content').innerHTML = userInput;
});
Expected output:
Scan code for vulnerabilities (GO)
File name: test.go
package testutil // import "github.com/docker/docker/testutil"
import "math/rand"
// GenerateRandomAlphaOnlyString generates an alphabetical random string with length n.
func GenerateRandomAlphaOnlyString(n int) string {
// make a really long string
letters := []byte("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
b := make([]byte, n)
for i := range b {
b[i] = letters[rand.Intn(len(letters))] //nolint: gosec // G404: Use of weak random number generator (math/rand instead of crypto/rand)
}
return string(b)
}
Expected output:
Scan code dependencies for vulnerabilities (Node)
File name: package.json
{
"name": "dependencygoat2",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC",
"dependencies": {
"minimist": "0.0.8"
}
}
Expected output:
Scan code dependencies for vulnerabilities (Python)
File name: requirements.txt
requests==2.18.2
urllib3==1.26.4
Expected output:
Scan code for hard-coded secrets (Multi-languages)
File name: secret.txt
MY_AWS_SECRET="AKIAIOSFODNN7EXAMPLE"
Expected output:
Scan IaC for static misconfigurations (Terraform)
Code sample: EC2 instance has Public IP
File name: public-ip.tf
//test public ip
data "aws_ami" "ubuntu1" {
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["099720109477"] # Canonical
}
resource "aws_instance" "web2" {
ami = data.aws_ami.ubuntu.id
instance_type = "t3.micro"
tags = {
Name = "HelloWorld"
}
}
resource "aws_instance" "web3" {
ami = data.aws_ami.ubuntu.id
associate_public_ip_address = true
instance_type = "t3.micro"
tags = {
Name = "HelloWorld"
}
}
Expected output:
Code sample: S3 Bucket without restriction of Public Bucket
File Name: public-bucket.tf
//test public bucket
resource "aws_s3_bucket" "positive1" {
bucket = "example"
}
// comment
resource "aws_s3_bucket_public_access_block" "positive2" {
bucket = aws_s3_bucket.example.id
block_public_acls = true
block_public_policy = true
restrict_public_buckets = false
}
resource "aws_s3_bucket_public_access_block" "positive3" {
bucket = aws_s3_bucket.example.id
block_public_acls = true
block_public_policy = true
}
Expected output:
Code sample: ALB listening on HTTP
File Name: alb-http.tf
resource "aws_lb_listener" "listener6" {
load_balancer_arn = aws_lb.test3.arn
port = 80
default_action {
type = "redirect"
redirect {
port = "80"
protocol = "HTTP"
status_code = "HTTP_301"
}
}
}
resource "aws_lb" "test3" {
name = "test123"
load_balancer_type = "application"
subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
internal = true
}
Expected output:
Run a Web Application Scanner / Ensure Your APIs are Secure (ZAP-based security requirements)
Use the following tests to verify that your security requirements based on ZAP (which include Run a Web Application Scanner and Ensure Your APIs are Secure) are functional.
Test target: Google Firing Range
https://www.zaproxy.org/docs/scans/firingrange/
Test target: Google Security Crawl Maze
https://www.zaproxy.org/docs/scans/crawlmaze/
Test target: OWASP Benchmark
https://www.zaproxy.org/docs/scans/benchmark/
Test target: Websites Vulnerable to SSTI
https://www.zaproxy.org/docs/scans/ssti/
Test target: Yahoo Webseclab
https://www.zaproxy.org/docs/scans/webseclab/
name: Sync Jit Teams
on:
schedule:
- cron: "0 3 * * *"
workflow_dispatch:
jobs:
sync-teams:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v3
- name: Call action
uses: jitsecurity/[email protected]
with:
JIT_CLIENT_ID: ${{ secrets.JIT_CLIENT_ID }}
JIT_CLIENT_SECRET: ${{ secrets.JIT_CLIENT_SECRET }}
ORGANIZATION_NAME: ${{ github.repository_owner }}
GITHUB_API_TOKEN: ${{ secrets.MY_GITHUB_API_TOKEN }}
TEAM_WILDCARD_TO_EXCLUDE: "*dev*, *test*"
Updated 17 days ago