unguard
Unguard is an insecure cloud-native microservices demo application.
Science Score: 44.0%
This score indicates how likely this project is to be science-related based on various indicators:
-
✓CITATION.cff file
Found CITATION.cff file -
✓codemeta.json file
Found codemeta.json file -
✓.zenodo.json file
Found .zenodo.json file -
○DOI references
-
○Academic publication links
-
○Committers with academic emails
-
○Institutional organization owner
-
○JOSS paper metadata
-
○Scientific vocabulary similarity
Low similarity (7.2%) to scientific vocabulary
Keywords
Repository
Unguard is an insecure cloud-native microservices demo application.
Basic Info
Statistics
- Stars: 50
- Watchers: 6
- Forks: 31
- Open Issues: 16
- Releases: 11
Topics
Metadata Files
README.md
Unguard
Unguard (🇦🇹 [ˈʊnˌɡuːat] like disquieting, 🇫🇷 [ãˈɡard] like the fencing command) is an insecure cloud-native microservices demo application. It consists of eight app services, a load generator, and two databases. Unguard encompasses vulnerabilities like server-side request forgery (SSRF), Command/SQL injection, JWT key confusion, remote code execution and many more.
The application is a web-based Twitter clone where users can register/login, post text, URLs and images and follow users. Unguard also features fake ads, a possibility to edit your biography and manage your membership.
Note This product is not officially supported by Dynatrace
🖼️ Screenshots
| Timeline | User profile |
|---------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|
| 
| 
|
🏗️ Architecture
Unguard is composed of eight microservices written in different languages that talk to each other over REST.
| Service | Language | Service Account | Description | |------------------------------------------------------------|---------------------|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------| | envoy-proxy | | default | Routes to the frontend or the ad-service and also provides a vulnerable health endpoint. | | frontend | Next.js | default | Provides a modern frontend to allow the user to interact with the application. Includes an API that talks with the other microservices. | | ad-service | .NET 5 | default | Provide CRUD operation for images and serves a HTML page which displays an image like an ad. | | microblog-service | Java Spring | default | Serves a REST API for the frontend and saves data into redis (explicitly calls vulnerable functions of the jackson-databind library 2.9.9). | | proxy-service | Java Spring | unguard-proxy | Serves REST API for proxying requests from frontend (vulnerable to SSRF; no sanitization on the entered URL). | | profile-service | Java Spring | default | Serves REST API for updating biography information in a H2 database; vulnerable to SQL injection attacks | | membership-service | .NET 7 | default | Serves REST API for updating user memberships in a MariaDB; vulnerable to SQL injection attacks | | like-service | PHP | default | Serves REST API for adding likes to posts using MariaDB; vulnerable to SQL injection attacks | | user-auth-service | Node.js Express | default | Serves REST API for authenticating users with JWT tokens (vulnerable to JWT key confusion and SQL injection attacks). | | status-service | Go | unguard-status | Serves REST API for Kubernetes deployments health, as well as a user and user role list (vulnerable to SQL injection) | | payment-service | Python Flask | default | Serves REST API for adding and retrieving credit card payment information associated with a user. | | jaeger | | default | The Jaeger stack for distributed tracing. | | mariadb | | unguard-mariadb | Relational database that holds user and token data. | | redis | | default | Key-value store that holds all user data (except authentication-related stuff). | | user-simulator | Node.js (Puppeteer) | default | Creates synthetic user traffic by simulating an Unguard user using a real browser. Acts as a load generator. | | malicious-load-generator | | default | Malicious load generator that makes CMD, JNDI, and SQL injections. |
Quickstart
To quickly get started with Unguard, install the Unguard Helm chart using the Helm package manager
Warning \ Unguard is insecure by design and a careless installation will leave you exposed to severe security vulnerabilities. Make sure to restrict access and/or run it in a sandboxed environment.
- Add the bitnami repository for the MariaDB dependency
sh
helm repo add bitnami https://charts.bitnami.com/bitnami
- Install MariaDB
sh
helm install unguard-mariadb bitnami/mariadb --version 11.5.7 --set primary.persistence.enabled=false --wait --namespace unguard --create-namespace
- Install Unguard
sh
helm install unguard oci://ghcr.io/dynatrace-oss/unguard/chart/unguard --wait --namespace unguard --create-namespace
To customize your Unguard chart installation, see the chart README
🖥️ Local Development
See the Development Guide on how to set up and develop Unguard on a local Kubernetes cluster.
☁️ Kubernetes Deployment
See the Unguard Chart README on how to install Unguard in your Kubernetes cluster using the Helm package manager.
✨ Features
- Kubernetes/AWS: The app is designed to run on a local Kubernetes cluster, as well as on the cloud with AWS.
- Jaeger Tracing: Most services are instrumented using trace interceptors.
- Skaffold: Unguard is deployed to Kubernetes with a single command using Skaffold.
- Synthetic Load Generation: The application comes with a deployment that creates traffic using the Element browser-based load generation library.
- Exploits: Different automated attack scenarios like JWT key confusion attacks or remote code execution.
- Monitoring: Dynatrace monitoring by utilizing MONACO.
➕ Additional Deployment Options
- Tracing and Jaeger: See these instructions
- Malicious Load Generator: See these instructions
Hummingbird icon by Danil Polshin from the Noun Project.
Owner
- Name: Dynatrace Open Source
- Login: dynatrace-oss
- Kind: organization
- Email: opensource@dynatrace.com
- Website: https://engineering.dynatrace.com
- Repositories: 40
- Profile: https://github.com/dynatrace-oss
This organization contains Open Source projects maintained by Dynatrace. If not stated differently, these projects are not officially supported.
Citation (CITATION.cff)
cff-version: 1.2.0 title: "Unguard: An Insecure Cloud-Native Microservice-Based Application" message: "If you use this software, please cite it as below." type: software authors: - name: "Dynatrace LLC" date-released: 2023 url: "https://github.com/dynatrace-oss/unguard" license: Apache-2.0
GitHub Events
Total
- Create event: 26
- Issues event: 6
- Release event: 4
- Watch event: 9
- Delete event: 8
- Issue comment event: 27
- Push event: 113
- Pull request review comment event: 123
- Pull request review event: 126
- Pull request event: 69
- Fork event: 19
Last Year
- Create event: 26
- Issues event: 6
- Release event: 4
- Watch event: 9
- Delete event: 8
- Issue comment event: 27
- Push event: 113
- Pull request review comment event: 123
- Pull request review event: 126
- Pull request event: 69
- Fork event: 19
Committers
Last synced: 9 months ago
Top Committers
| Name | Commits | |
|---|---|---|
| Christoph Wedenig | c****g@d****m | 22 |
| Fabian Oraze | f****e@d****m | 21 |
| Manuel Fragner | m****r@d****m | 17 |
| Matthias Kranzer | m****r@d****m | 16 |
| eliasgierlinger | g****s@g****m | 12 |
| Alejandro A. Camba | 3****a | 6 |
| KugliLuca | K****5@s****t | 5 |
| Olivier Karasangabo | o****o@d****m | 5 |
| Paul Weber | p****r@d****m | 4 |
| Kyohei.Saito | k****o@3****m | 3 |
| Roland Wohlfahrt | r****t@d****m | 3 |
| Simon Ammer | s****r@d****m | 3 |
| Sascha Skorupa | s****a@d****m | 3 |
| reg0bs | 7****s | 2 |
| Laura Randl | l****l@d****m | 2 |
| Paul Hörmann | p****n@d****m | 1 |
| Tiit Hallas | h****s@n****e | 1 |
Committer Domains (Top 20 + Academic)
Issues and Pull Requests
Last synced: 6 months ago
All Time
- Total issues: 26
- Total pull requests: 127
- Average time to close issues: 2 months
- Average time to close pull requests: 7 days
- Total issue authors: 7
- Total pull request authors: 23
- Average comments per issue: 0.38
- Average comments per pull request: 0.76
- Merged pull requests: 83
- Bot issues: 0
- Bot pull requests: 4
Past Year
- Issues: 6
- Pull requests: 66
- Average time to close issues: 3 months
- Average time to close pull requests: 6 days
- Issue authors: 3
- Pull request authors: 11
- Average comments per issue: 0.33
- Average comments per pull request: 0.62
- Merged pull requests: 46
- Bot issues: 0
- Bot pull requests: 0
Top Authors
Issue Authors
- ammerzon (9)
- W3D3 (7)
- agardnerIT (4)
- LauraRandl (2)
- orazefabian (1)
- MfCrizz (1)
- blu3r4y (1)
Pull Request Authors
- LauraRandl (23)
- W3D3 (18)
- KraProgrammer (16)
- DavidPHirsch (15)
- orazefabian (15)
- reg0bs (9)
- MfCrizz (8)
- tiitha (4)
- dependabot[bot] (4)
- gollumeye (4)
- kiyo-s (2)
- ammerzon (2)
- sassko (2)
- hoermannpaul (2)
- AlejandroCamba (2)
Top Labels
Issue Labels
Pull Request Labels
Packages
- Total packages: 1
- Total downloads: unknown
- Total dependent packages: 0
- Total dependent repositories: 0
- Total versions: 12
proxy.golang.org: github.com/dynatrace-oss/unguard
- Documentation: https://pkg.go.dev/github.com/dynatrace-oss/unguard#section-documentation
- License: apache-2.0
-
Latest release: v0.11.2
published 10 months ago
Rankings
Dependencies
- actions/cache v3 composite
- actions/checkout v3 composite
- hiberbee/github-action-skaffold 1.26.0 composite
- actions/checkout v3 composite
- actions/setup-node v2 composite
- wagoid/commitlint-github-action v5 composite
- actions-ecosystem/action-regex-match v2 composite
- actions/cache v3 composite
- actions/checkout v3 composite
- docker/login-action v2 composite
- hiberbee/github-action-skaffold 1.26.0 composite
- base latest build
- build latest build
- mcr.microsoft.com/dotnet/aspnet 5.0 build
- mcr.microsoft.com/dotnet/sdk 5.0 build
- ad-service latest
- envoyproxy/envoy v1.23.0 build
- node 14 build
- locustio/locust 2.9.0 build
- base latest build
- build latest build
- mcr.microsoft.com/dotnet/aspnet 7.0 build
- mcr.microsoft.com/dotnet/sdk 7.0 build
- gradle 6.9.1-jdk11 build
- openjdk 11-jre-slim build
- gradle 7.4.1-jdk11 build
- openjdk 11-jre build
- openjdk 8u111-jdk-alpine build
- openjdk 8u111-jre build
- alpine latest build
- golang 1.18-alpine build
- node 16 build
- node 14.20.0 build
- github.com/PuerkitoBio/purell v1.1.1
- github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578
- github.com/davecgh/go-spew v1.1.1
- github.com/dgrijalva/jwt-go v3.2.0+incompatible
- github.com/emicklei/go-restful v2.9.5+incompatible
- github.com/go-logr/logr v1.2.0
- github.com/go-openapi/jsonpointer v0.19.5
- github.com/go-openapi/jsonreference v0.19.5
- github.com/go-openapi/swag v0.19.14
- github.com/gogo/protobuf v1.3.2
- github.com/golang/protobuf v1.5.2
- github.com/google/gnostic v0.5.7-v3refs
- github.com/google/gofuzz v1.1.0
- github.com/josharian/intern v1.0.0
- github.com/json-iterator/go v1.1.12
- github.com/labstack/echo/v4 v4.1.17
- github.com/labstack/gommon v0.3.0
- github.com/mailru/easyjson v0.7.6
- github.com/mattn/go-colorable v0.1.7
- github.com/mattn/go-isatty v0.0.12
- github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
- github.com/modern-go/reflect2 v1.0.2
- github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
- github.com/valyala/bytebufferpool v1.0.0
- github.com/valyala/fasttemplate v1.2.1
- golang.org/x/crypto v0.0.0-20220214200702-86341886e292
- golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd
- golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
- golang.org/x/sys v0.0.0-20220209214540-3681064d5158
- golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
- golang.org/x/text v0.3.7
- golang.org/x/time v0.0.0-20220210224613-90d013bbcef8
- google.golang.org/appengine v1.6.7
- google.golang.org/protobuf v1.27.1
- gopkg.in/inf.v0 v0.9.1
- gopkg.in/yaml.v2 v2.4.0
- gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
- k8s.io/api v0.24.2
- k8s.io/apimachinery v0.24.2
- k8s.io/client-go v0.24.2
- k8s.io/klog/v2 v2.60.1
- k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42
- k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9
- sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2
- sigs.k8s.io/structured-merge-diff/v4 v4.2.1
- sigs.k8s.io/yaml v1.2.0
- 600 dependencies
- io.jsonwebtoken:jjwt-api 0.11.2 compile
- io.jaegertracing:jaeger-client 1.4.0 implementation
- junit:junit 4.13.1 implementation
- org.junit.jupiter:junit-jupiter 5.7.0 implementation
- org.springframework.boot:spring-boot-starter-web * implementation
- org.testng:testng 6.14.3 implementation
- io.jsonwebtoken:jjwt-impl 0.11.2
- org.assertj:assertj-core 3.21.0 testImplementation
- org.springframework.boot:spring-boot-starter-test * testImplementation
- org.springframework.boot:spring-boot-starter-data-jpa * implementation
- org.springframework.boot:spring-boot-starter-validation * implementation
- org.springframework.boot:spring-boot-starter-web * implementation
- com.h2database:h2 2.0.204 runtimeOnly
- org.springframework.boot:spring-boot-starter-test * testImplementation
- com.uber.jaeger:jaeger-apachehttpclient 0.27.0 implementation
- io.jaegertracing:jaeger-client 1.4.0 implementation
- org.springframework.boot:spring-boot-starter-web * implementation
- org.testng:testng 6.14.3 implementation
- org.springframework.boot:spring-boot-starter-test * testImplementation
- 206 dependencies
- commitlint ^17.4.4 development
- commitlint-config-gitmoji ^2.3.1 development
- dotenv ^10.0.0 development
- nodemon ^2.0.12 development
- @w3d3/axios-opentracing ^0.1.5
- @w3d3/express-opentracing ^0.1.5
- axios ^0.20.0
- body-parser ^1.19.0
- bootstrap ^4.5.3
- cheerio ^1.0.0-rc.3
- cookie-parser ^1.4.5
- express ^4.17.1
- express-opentracing ^0.1.1
- form-data ^4.0.0
- jaeger-client ^3.18.1
- jquery 3.5.1
- jwt-decode ^3.1.2
- multer ^1.4.2
- node-sass-middleware ^0.11.0
- nunjucks ^3.2.2
- winston ^3.3.3
- 453 dependencies
- dotenv ^10.0.0 development
- nodemon ^2.0.12 development
- bcrypt ^5.0.1
- colors ^1.4.0
- cookie-parser ~1.4.4
- debug ~2.6.9
- express ~4.16.1
- http-errors ~1.6.3
- jaeger-client ^3.15.0
- jsonwebtoken ^8.5.1
- jwt-simple 0.5.2
- morgan ~1.9.1
- mysql ^2.18.1
- mysql2 ^2.2.5
- opentracing ^0.14.5
- pug 2.0.0-beta11
- readline-sync ^1.4.10
- 328 dependencies
- @types/node 18.11.18 development
- @flood/element ^2.0.4
- @flood/element-cli ^2.0.4
- prettier ^2.8.3
- 812 dependencies
- Flurl.Http 3.2.0
- Jaeger 0.2.2
- Newtonsoft.Json 13.0.1
- OpenTelemetry 1.1.0
- OpenTelemetry.Api 1.1.0
- OpenTelemetry.Exporter.Jaeger 1.1.0
- OpenTelemetry.Exporter.OpenTelemetryProtocol 1.1.0
- OpenTelemetry.Extensions.Hosting 1.0.0-rc7
- OpenTelemetry.Instrumentation.AspNetCore 1.0.0-rc7
- OpenTelemetry.Instrumentation.Http 1.0.0-rc7
- SharpCompress 0.20.0
- Microsoft.AspNetCore.OpenApi 7.0.1
- Pomelo.EntityFrameworkCore.MySql 6.0.2
- Swashbuckle.AspNetCore 6.4.0
- click >=7.1
- pyjwt >=2.1
- python-decouple >=3.4
- requests >=2.21
- requests-html >=0.10
- setuptools >=45
- Click *
- requests *
- requests-html *
- locust ==2.9.0
- brotli ==1.0.9
- certifi ==2022.5.18.1
- charset-normalizer ==2.0.12
- click ==8.1.3
- configargparse ==1.5.3
- flask ==2.1.2
- flask-basicauth ==0.2.0
- flask-cors ==3.0.10
- gevent ==21.12.0
- geventhttpclient ==1.5.3
- greenlet ==1.1.2
- idna ==3.3
- importlib-metadata ==4.11.4
- itsdangerous ==2.1.2
- jinja2 ==3.1.2
- locust ==2.9.0
- markupsafe ==2.1.1
- msgpack ==1.0.4
- psutil ==5.9.1
- pyzmq ==22.3.0
- requests ==2.28.0
- roundrobin ==0.0.2
- six ==1.16.0
- typing-extensions ==4.2.0
- urllib3 ==1.26.9
- werkzeug ==2.1.2
- zipp ==3.8.0
- zope-event ==4.5.0
- zope-interface ==5.4.0