Unguard (🇦🇹 [ˈʊnˌɡuːat] like disquieting, 🇫🇷 [ãˈɡard] like the fencing command) is an insecure cloud-native microservices demo application. It consists of eight app services, a load generator, and two databases. Unguard encompasses vulnerabilities like server-side request forgery (SSRF), Command/SQL injection, JWT key confusion, remote code execution and many more.
The application is a web-based Twitter clone where users can register/login, post text, URLs and images and follow users. Unguard also features fake ads, a possibility to edit your biography and manage your membership.
Note This product is not officially supported by Dynatrace
Timeline | User profile |
---|---|
Unguard is composed of eight microservices written in different languages that talk to each other over REST.
Service | Language | Service Account | Description |
---|---|---|---|
envoy-proxy | default | Routes to the frontend or the ad-service and also provides a vulnerable health endpoint. | |
frontend | Node.js Express | default | Serves HTML to the user to interact with the application. |
ad-service | .NET 5 | default | Provide CRUD operation for images and serves a HTML page which displays an image like an ad. |
microblog-service | Java Spring | default | Serves a REST API for the frontend and saves data into redis (explicitly calls vulnerable functions of the jackson-databind library 2.9.9). |
proxy-service | Java Spring | unguard-proxy | Serves REST API for proxying requests from frontend (vulnerable to SSRF; no sanitization on the entered URL). |
profile-service | Java Spring | default | Serves REST API for updating biography information in a H2 database; vulnerable to SQL injection attacks |
membership-service | .NET 7 | default | Serves REST API for updating user memberships in a MariaDB; vulnerable to SQL injection attacks |
like-service | PHP | default | Serves REST API for adding likes to posts using MariaDB; vulnerable to SQL injection attacks |
user-auth-service | Node.js Express | default | Serves REST API for authenticating users with JWT tokens (vulnerable to JWT key confusion). |
status-service | Go | unguard-status | Serves REST API for Kubernetes deployments health, as well as a user and user role list (vulnerable to SQL injection) |
payment-service | Python Flask | default | Serves REST API for adding and retrieving credit card payment information associated with a user. |
jaeger | default | The Jaeger stack for distributed tracing. | |
mariadb | unguard-mariadb | Relational database that holds user and token data. | |
redis | default | Key-value store that holds all user data (except authentication-related stuff). | |
user-simulator | Node.js (Puppeteer) | default | Creates synthetic user traffic by simulating an Unguard user using a real browser. Acts as a load generator. |
malicious-load-generator | default | Malicious load generator that makes CMD, JNDI, and SQL injections. |
To quickly get started with Unguard, install the Unguard Helm chart using the Helm package manager
Warning
Unguard is insecure by design and a careless installation will leave you exposed to severe security vulnerabilities. Make sure to restrict access and/or run it in a sandboxed environment.
-
Add the bitnami repository for the MariaDB dependency
helm repo add bitnami https://charts.bitnami.com/bitnami
-
Install MariaDB
helm install unguard-mariadb bitnami/mariadb --version 11.5.7 --set primary.persistence.enabled=false --wait --namespace unguard --create-namespace
-
Install Unguard
helm install unguard oci://ghcr.io/dynatrace-oss/unguard/chart/unguard --wait --namespace unguard --create-namespace
To customize your Unguard chart installation, see the chart README
See the Development Guide on how to set up and develop Unguard on a local Kubernetes cluster.
See the Unguard Chart README on how to install Unguard in your Kubernetes cluster using the Helm package manager.
- Kubernetes/AWS: The app is designed to run on a local Kubernetes cluster, as well as on the cloud with AWS.
- Jaeger Tracing: Most services are instrumented using trace interceptors.
- Skaffold: Unguard is deployed to Kubernetes with a single command using Skaffold.
- Synthetic Load Generation: The application comes with a deployment that creates traffic using the Element browser-based load generation library.
- Exploits: Different automated attack scenarios like JWT key confusion attacks or remote code execution.
- Monitoring: Dynatrace monitoring by utilizing MONACO.
- Tracing and Jaeger: See these instructions
- Malicious Load Generator: See these instructions
Hummingbird icon by Danil Polshin from the Noun Project.