[HN Gopher] Vulhub: Pre-Built Vulnerable Environments Based on D...
___________________________________________________________________
Vulhub: Pre-Built Vulnerable Environments Based on Docker-Compose
Author : nateb2022
Score : 78 points
Date : 2022-09-24 15:33 UTC (7 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| mimimi31 wrote:
| The name is unfortunate since there's already Vul _n_ hub [1].
|
| [1] https://www.vulnhub.com
| cowmix wrote:
| Most of these compose files are pretty outdated AND they depend
| on non-standard builds of containers for each respective
| application.
| detaro wrote:
| What else would you expect for setups intentionally trying to
| preserve past versions of software?
| westurner wrote:
| Reproducibility in [Infosec] Software Research requires
| DevOpSec, which requires: explicit data and code dependency
| specifications, and/or trusting hopefully-immutable software
| package archives, and/or securely storing and transmitting
| crytographically-signed archival (container) images; and then
| Upgrade all of the versions and run the integration tests
| with a git post-receive hook or a webhook to an external
| service dependency not encapsulated within the {Dockerfile,
| environment.yml/requirements.txt/postBuild; REES} dependency
| constraint model.
|
| With pip-tools, you update the python software versions in a
| requirements.txt from a requirements.in meta-dependency-spec-
| file: https://github.com/jazzband/pip-tools#updating-
| requirements $ pip-compile --upgrade
| requirements.in $ cat requirements.tct
|
| Poetry has an "Expanded dependency specification syntax" but
| FWIU there's not a way to specify unsigned or signed
| cryptographic hashes, which e.g. Pipfile.lock supports:
| hashes for every variant of those versions of packages on
| {PyPI, and third-party package repos with TUF keys, too}.
|
| From https://pipenv.pypa.io/en/latest/basics/#pipenv-lock :
| $ pipenv lock
|
| > _pipenv lock is used to create a Pipfile.lock, which
| declares all dependencies (and sub-dependencies) of your
| project, their latest available versions, and the current
| hashes for the downloaded files. This ensures repeatable, and
| most importantly deterministic, builds_
|
| "Reproducible builds" of a DVWA Deliberately Vulnerable Web
| Application is a funny thing:
| https://en.wikipedia.org/wiki/Reproducible_builds
|
| Replication crisis
| https://en.wikipedia.org/wiki/Replication_crisis :
|
| > _The replication crisis (also called the replicability
| crisis and the reproducibility crisis) is an ongoing
| methodological crisis in which it has been found that the
| results of many scientific studies are difficult or
| impossible to reproduce. Because the reproducibility of
| empirical results is an essential part of the scientific
| method,[2] such failures undermine the credibility of
| theories building on them and potentially call into question
| substantial parts of scientific knowledge._
|
| Just rebuilding or re-pulling a container image does not
| upgrade the versions of software installed within the
| container. See also: SBOM, CycloneDx, #LinkedReproducibility,
| #JupyterREES.
|
| `podman-pull`
| https://docs.podman.io/en/latest/markdown/podman-
| pull.1.html... ~: podman image pull busybox
| podman pull busybox docker pull busybox podman
| pull busybox centos fedora ubuntu debian
|
| "How to rebuild and update a container without downtime with
| docker-compose?"
| https://stackoverflow.com/questions/42529211/how-to-
| rebuild-... : docker-compose up -d --no-deps
| --build #[servicename]
|
| "Statistics-Based OWASP Top 10 2021 Proposal"
| https://dzone.com/articles/statistics-based-owasp-
| top-10-202...
|
| awesome-vulnerable-apps > OWASP Top 10
| https://github.com/vavkamil/awesome-vulnerable-apps#owasp-
| to... :
|
| > _OWASP Juice Shop: Probably the most modern and
| sophisticated insecure web application_
|
| And there's a book, an Open Source Official Companion Guide
| book titled _" Pwning Juice Shop"_: https://github.com/juice-
| shop/juice-shop#official-companion-...
|
| If the versions installed in the book are outdated, you too
| can bump the version strings in the dependency specs in the
| git repo and send a PR Pull Request (which also updates the
| Screenshots and Menu > Sequences and Keyboard Shortcuts in
| the book&docs); and then manually test that everything works
| with the updated "deps" dependencies.
|
| If it's an _executablebooks /_, a Computational Notebook
| (possibly in a Literate Computing style), you can "Restart &
| Run all" from the notebook UI button or a script, and then
| test that all automated test assertions pass, and then "diff"
| (visually compare), and then just manually read through the
| textual descriptions of commands to enter (because people who
| buy a _Book_ presumably have a reasonable expectation that if
| they copy the commands from the book to a script by hand to
| learn them, the commands as written should run; it should
| work like the day you bought it for a projected term of many
| free word-of-mouth years.
|
| From https://github.com/juice-shop/juice-shop#docker-
| container : docker pull bkimminich/juice-shop
| docker run --rm -p 3000:3000
|
| With podman [desktop], podman pull
| bkimminich/juice-shop podman run --rm -p 3000:3000 -n
| juiceshop0
| johanbcn wrote:
| Also, the install instructions suggest installing the python
| implementation of docker-compose, which has been deprecated in
| favour of the compose docker plugin.
| jtwebman wrote:
| I still use the python one out of habit.
___________________________________________________________________
(page generated 2022-09-24 23:00 UTC)