Skip to content

Unguard is an insecure cloud-native microservices demo application.

License

Notifications You must be signed in to change notification settings

Iir00d/unguard

 
 

Repository files navigation

Unguard Logo Unguard

Unguard (🇦🇹 [ˈʊnˌɡuːat] like disquieting, 🇫🇷 [ãˈɡard] like the fencing command) is an insecure cloud-native microservices demo application. It consists of eight app services, a load generator, and two databases. Unguard encompasses vulnerabilities like server-side request forgery (SSRF), Command/SQL injection, JWT key confusion, remote code execution and many more.

The application is a web-based Twitter clone where users can register/login, post text, URLs and images and follow users. Unguard also features fake ads, a possibility to edit your biography and manage your membership.

Note This product is not officially supported by Dynatrace

🖼️ Screenshots

Timeline User profile
Screenshot of the timeline Screenshot of a user profile

🏗️ Architecture

Unguard is composed of eight microservices written in different languages that talk to each other over REST.

Unguard Architecture

Service Language Service Account Description
envoy-proxy default Routes to the frontend or the ad-service and also provides a vulnerable health endpoint.
frontend Node.js Express default Serves HTML to the user to interact with the application.
ad-service .NET 5 default Provide CRUD operation for images and serves a HTML page which displays an image like an ad.
microblog-service Java Spring default Serves a REST API for the frontend and saves data into redis (explicitly calls vulnerable functions of the jackson-databind library 2.9.9).
proxy-service Java Spring unguard-proxy Serves REST API for proxying requests from frontend (vulnerable to SSRF; no sanitization on the entered URL).
profile-service Java Spring default Serves REST API for updating biography information in a H2 database; vulnerable to SQL injection attacks
membership-service .NET 7 default Serves REST API for updating user memberships in a MariaDB; vulnerable to SQL injection attacks
user-auth-service Node.js Express default Serves REST API for authenticating users with JWT tokens (vulnerable to JWT key confusion).
status-service Go unguard-status Vulnerable server that uses the Kubernetes API from within a pod to get current deployment information
jaeger default The Jaeger stack for distributed tracing.
mariadb unguard-mariadb Relational database that holds user and token data.
redis default Key-value store that holds all user data (except authentication-related stuff).
user-simulator Node.js Element default Creates synthetic user traffic by simulating an Unguard user using a real browser. Acts as a load generator.
malicious-load-generator default Malicious load generator that makes CMD, JNDI, and SQL injections.

Quickstart

To quickly get started with Unguard, install the Unguard Helm chart using the Helm package manager

Warning
Unguard is insecure by design and a careless installation will leave you exposed to severe security vulnerabilities. Make sure to restrict access and/or run it in a sandboxed environment.

  1. Add the bitnami repository for the MariaDB dependency

     helm repo add bitnami https://charts.bitnami.com/bitnami
  2. Install MariaDB

    helm install unguard-mariadb bitnami/mariadb --set primary.persistence.enabled=false --wait --namespace unguard --create-namespace
  3. Install Unguard

    helm install unguard  oci://ghcr.io/dynatrace-oss/unguard/chart/unguard --wait --namespace unguard --create-namespace

To customize your Unguard chart installation, see the chart README

🖥️ Local Development

See the Development Guide on how to set up and develop Unguard on a local Kubernetes cluster.

☁️ Kubernetes Deployment

See the Unguard Chart README on how to install Unguard in your Kubernetes cluster using the Helm package manager.

✨ Features

  • Kubernetes/AWS: The app is designed to run on a local Kubernetes cluster, as well as on the cloud with AWS.
  • Jaeger Tracing: Most services are instrumented using trace interceptors.
  • Skaffold: Unguard is deployed to Kubernetes with a single command using Skaffold.
  • Synthetic Load Generation: The application comes with a deployment that creates traffic using the Element browser-based load generation library.
  • Exploits: Different automated attack scenarios like JWT key confusion attacks or remote code execution.
  • Monitoring: Dynatrace monitoring by utilizing MONACO.

➕ Additional Deployment Options


Hummingbird icon by Danil Polshin from the Noun Project.

About

Unguard is an insecure cloud-native microservices demo application.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Java 25.4%
  • JavaScript 20.8%
  • C# 16.0%
  • Nunjucks 10.8%
  • Python 7.7%
  • SCSS 7.1%
  • Other 12.2%