├── diagrams
    ├── webgoat-ui-smith.png
    ├── webggoat-post-landing.png
    ├── webgoat-vulnerabilities-ss.png
    └── aws-fargate-contrast-security-integration-1a.png
├── docker-compose.yml
├── kubernetes
    └── manifests
    │   ├── webgoat-service.yaml
    │   ├── ingress.yaml
    │   └── webgoat-deployment.yaml
├── Dockerfile
├── contrast_security.yaml
├── Dockerfile-old
└── README.md


/diagrams/webgoat-ui-smith.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Contrast-Security-OSS/aws-fargate-example/main/diagrams/webgoat-ui-smith.png


--------------------------------------------------------------------------------
/diagrams/webggoat-post-landing.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Contrast-Security-OSS/aws-fargate-example/main/diagrams/webggoat-post-landing.png


--------------------------------------------------------------------------------
/diagrams/webgoat-vulnerabilities-ss.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Contrast-Security-OSS/aws-fargate-example/main/diagrams/webgoat-vulnerabilities-ss.png


--------------------------------------------------------------------------------
/diagrams/aws-fargate-contrast-security-integration-1a.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Contrast-Security-OSS/aws-fargate-example/main/diagrams/aws-fargate-contrast-security-integration-1a.png


--------------------------------------------------------------------------------
/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | version: '3.9'
 2 | services:
 3 |   webgoat:
 4 |     build: .
 5 |     environment:
 6 |       - CONTRAST__API__API_KEY
 7 |       - CONTRAST__API__SERVICE_KEY
 8 |       - CONTRAST__API__USER_NAME
 9 |       - CONTRAST__API__URL
10 |     ports:
11 |       - "8080:8080"
12 | 


--------------------------------------------------------------------------------
/kubernetes/manifests/webgoat-service.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   annotations:
 5 |     kompose.cmd: kompose convert
 6 |     kompose.version: 1.22.0 (955b78124)
 7 |   creationTimestamp: null
 8 |   labels:
 9 |     io.kompose.service: webgoat
10 |   name: webgoat
11 | spec:
12 |   type: LoadBalancer
13 |   ports:
14 |     - name: "8080"
15 |       port: 8080
16 |       targetPort: 8080
17 |   selector:
18 |     io.kompose.service: webgoat
19 | status:
20 |   loadBalancer: {}
21 | 


--------------------------------------------------------------------------------
/kubernetes/manifests/ingress.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: extensions/v1beta1
 2 | kind: Ingress
 3 | metadata:
 4 |   name: web-ingress
 5 |   annotations:
 6 |     kubernetes.io/ingress.class: "traefik"
 7 |     traefik.ingress.kubernetes.io/frontend-entry-points: http,https
 8 |     #traefik.ingress.kubernetes.io/load-balancer-method: drr
 9 |     #traefik.ingress.kubernetes.io/redirect-entry-point: https
10 |     #traefik.ingress.kubernetes.io/redirect-permanent: "true"
11 | spec:
12 |   rules:
13 |   - host: webgoat.k8s.contrast.app
14 |     http:
15 |       paths:
16 |       - path: /
17 |         backend:
18 |           serviceName: web
19 |           servicePort: 90
20 | 


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
 1 | # Dockerfile to run WebGoat 7.1 with Contrast Security
 2 | 
 3 | FROM anapsix/alpine-java:jdk8
 4 | 
 5 | RUN mkdir /opt/app
 6 | RUN mkdir /opt/contrast
 7 | 
 8 | RUN apk update && apk add ca-certificates && update-ca-certificates && apk add openssl
 9 | RUN apk update; apk add curl
10 | RUN wget https://github.com/WebGoat/WebGoat/releases/download/7.1/webgoat-container-7.1-exec.jar -O /opt/app/webgoat.jar
11 | 
12 | RUN curl --max-time 20 $CONTRAST__BASEURL/agents/default/JAVA -H API-Key:$APIKey -H Authorization:$Auth -o /opt/contrast/contrast.jar
13 | 
14 | EXPOSE 8080
15 | 
16 | CMD ["java","-javaagent:/opt/contrast/contrast.jar","-Dcontrast.protect.rules.sql-injection.detect_tautologies=true","-Dcontrast.server=$SERVER_NAME","-jar","/opt/app/webgoat.jar"]
17 | 


--------------------------------------------------------------------------------
/contrast_security.yaml:
--------------------------------------------------------------------------------
 1 | # Set agent configurations - optional HTTP proxy information if required found at CS site* 
 2 | api: 
 3 |   url: <YOUR_CONTRAST_URL>
 4 |   api_key: <YOUR_API_KEY>
 5 |   service_key: <YOUR_SERVICE_KEY>
 6 |   user_name: <CONTRAST TEAM SERVER USERNAME>
 7 | 
 8 | # Set the name for this application
 9 | agent:
10 |   java:
11 |     standalone_app_name: <YOUR APPLICATION NAME>
12 | 
13 | # Enable Contrast Assess product - sample configuration
14 | inventory:
15 |   enable: true
16 | assess:
17 |   enable: true
18 | protect:
19 |   enable: true
20 | 
21 | # The following environment variables are leveraged during the deployment of the Contrast Security agent and application
22 | env:
23 |   OrgID=<YOUR ORGANIZATION ID>
24 |   Auth=<YOUR AUTHORIZATION HEADER>
25 |   APIKey=<YOUR_API_KEY>
26 |   CONTRAST__BASEURL=<YOUR CONTRAST URL>/api/ng/<YOUR ORGANIZATION ID>
27 |   SERVER_NAME=<NAME OF YOUR SERVER FOR YOUR APPLICATION>
28 | 


--------------------------------------------------------------------------------
/Dockerfile-old:
--------------------------------------------------------------------------------
 1 | # Dockerfile to run WebGoat 7.1 with Contrast Security
 2 | 
 3 | FROM anapsix/alpine-java:jdk8
 4 | 
 5 | # TODO Edit the following 3 lines and substitute the keys from your Contrast Security Your Account page
 6 | 
 7 | ENV OrgID=a8cd7a84-5cc2-4df6-b5d9-c016cc2c6f53
 8 | 
 9 | ENV Auth=bWFyay50b21jemFAY29udHJhc3RzZWN1cml0eS5jb206UTVHRkpQQVpQSURCTks3UQ==
10 | 
11 | ENV APIKey=DOeAUIavVy5NmqNA11bnuKemAq946yn7
12 | 
13 | # End TODO
14 | 
15 | ENV CONTRAST__BASEURL=https://eval.contrastsecurity.com/Contrast/api/ng/$OrgID
16 | 
17 | RUN mkdir /opt/app
18 | RUN mkdir /opt/contrast
19 | 
20 | RUN apk update && apk add ca-certificates && update-ca-certificates && apk add openssl
21 | RUN apk update; apk add curl
22 | RUN wget https://github.com/WebGoat/WebGoat/releases/download/7.1/webgoat-container-7.1-exec.jar -O /opt/app/webgoat.jar
23 | 
24 | RUN curl --max-time 20 $CONTRAST__BASEURL/agents/default/JAVA -H API-Key:$APIKey -H Authorization:$Auth -o /opt/contrast/contrast.jar
25 | 
26 | EXPOSE 8080
27 | 
28 | CMD ["java","-javaagent:/opt/contrast/contrast.jar","-Dcontrast.standalone.appname=WebGoatDocker","-Dcontrast.protect.rules.sql-injection.detect_tautologies=true","-Dcontrast.server=WebGoatDockerServer","-jar","/opt/app/webgoat.jar"]
29 | 


--------------------------------------------------------------------------------
/kubernetes/manifests/webgoat-deployment.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   annotations:
 5 |     kompose.cmd: kompose convert
 6 |     kompose.version: 1.22.0 (955b78124)
 7 |   creationTimestamp: null
 8 |   labels:
 9 |     io.kompose.service: webgoat
10 |   name: webgoat
11 | spec:
12 |   replicas: 1
13 |   selector:
14 |     matchLabels:
15 |       io.kompose.service: webgoat
16 |   strategy: {}
17 |   template:
18 |     metadata:
19 |       annotations:
20 |         kompose.cmd: kompose convert
21 |         kompose.version: 1.22.0 (955b78124)
22 |       creationTimestamp: null
23 |       labels:
24 |         io.kompose.service: webgoat
25 |     spec:
26 |       containers:
27 |         - env:
28 |             - name: "CONTRAST_CONFIG_PATH"
29 |               value: "/etc/contrast/contrast_security.yaml"
30 |         - image: <AWS ACCOUNT ID>.dkr.ecr.<AWS REGION>.amazonaws.com/<RESPOSITORY>:<TAG>
31 |           name: webgoat
32 |           ports:
33 |             - containerPort: 8080
34 |           resources: {}
35 |           volumeMounts: 
36 |             - name: contrast-security
37 |               readOnly: true
38 |               mountPath: "/etc/contrast"
39 |       restartPolicy: Always
40 |       volumes:
41 |         - name: contrast-security
42 |           secret:
43 |             secretName: contrast-security
44 | status: {}
45 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # aws-fargate-example
  2 | 
  3 | The code in this github repository gives a step-by-step instruction on how to integrate a Contrast Security agent with an application being deployed to an Amazon EKS cluster via AWS Fargate.
  4 | 
  5 | ![Contrast Fargate-EKS Integration Example](/diagrams/aws-fargate-contrast-security-integration-1a.png)
  6 | 
  7 | This github repository contains the following sections:
  8 | * Sample Application with Vulnerabilities - Webgoat
  9 | * Docker Build/Docker-Compose Deployment
 10 | * Pushing the Container Image to Amazon ECR
 11 | * Amazon EKS Deployment via AWS Fargate
 12 | * Simple Exploit (SQL Injection)
 13 | * Contrast Security Vulnerability Results
 14 | 
 15 | ## Sample Application with Vulnerabilities - Webgoat
 16 | 
 17 | The sample application is based on [OWASP WebGoat - version 7](https://github.com/WebGoat) - vulnerabilities have been added for demonstration purposes.
 18 | 
 19 | The Webgoat application was developed on the java framework.  This guide assumes that the user has knowledge on how to instrument a java application with a Contrast Security Agent.  
 20 | 
 21 | For more information on how to instrument a java application with a Contrast Security Agent, please visit the link [here](https://docs.contrastsecurity.com/en/install-the-java-agent.html).
 22 | 
 23 | ![Contrast Fargate-EKS Integration Example](/diagrams/webggoat-post-landing.png)
 24 | 
 25 | ## Docker Build/Docker-Compose Deployment
 26 | 
 27 | You can run Webgoat within a Docker container locally via docker-compose as tested on OSX. The agent is added automatically during the Docker build process.
 28 | 
 29 | 1.) Build the container using:
 30 | 
 31 | `docker build -f Dockerfile . -t dockerwebgoat`
 32 | 
 33 | 2.) Run the containers locally via Docker-Compose using: 
 34 | 
 35 | `docker-compose up`
 36 | 
 37 | *Note - For vanilla Docker implementations including docker-compose, the agent configurations are passed via environment variables within the Dockerfile.  Make sure to use 'Dockerfile-old' for vanilla Docker implementations for the docker build.  If you are deploying to Amazon EKS, please use 'Dockerfile' for the docker build as the Contrast Agent configurations are removed from the Dockerfile.  For Amazon EKS implementations, Contrast Agent configurations are passed using kubernetes secrets/configMaps.* 
 38 | 
 39 | ## Pushing the Container Image to Amazon ECR
 40 | 
 41 | Following your build, in order to run the application via Amazon EKS, you first need to have an image avialable inside a Container Registry.  This demo uses Amazon's ECR to store the built container images. 
 42 | 
 43 | 1.) Make sure to tag the image prior to pushing to the registry using this command:
 44 | 
 45 | `docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]`
 46 | 
 47 | 2.) Use the 'aws ecr get-login' command to generate the docker login command for the next step:
 48 | 
 49 | `$ aws ecr get-login docker login –u AWS –p password –e none https://aws_account_id.dkr.ecr.us-east-1.amazonaws.com`
 50 | 
 51 | 3.) Log into Amazon's ECR using the output from the previous step - more information found [here](https://aws.amazon.com/blogs/compute/authenticating-amazon-ecr-repositories-for-docker-cli-with-credential-helper/#:~:text=Overview%20of%20Amazon%20ECS%20and%20Amazon%20ECR&text=ECR%20is%20a%20private%20Docker,%2C%20pull%2C%20and%20manage%20images.):
 52 | 
 53 | 4.) Push a local container image to Amazon's ECR using the 'docker' command:
 54 | 
 55 | `docker push NAME[:TAG]`
 56 | 
 57 | ## Amazon EKS Deployment via AWS Fargate
 58 | 
 59 | The Webgoat application can also be deployed to a Kubernetes cluster as tested on local OSX via Kubernetes running locally on Docker Desktop and the Amazon EKS PaaS environment. 
 60 |  
 61 | ### Set Up AWS Fargate prior to deployment
 62 | 
 63 | 1.) Make sure existing EKS cluster nodes can communicate with Fargate Pods
 64 | 
 65 | 2.) Create AWS Fargate pod execution role
 66 | 
 67 | 3.) Create AWS Fargate Profile that matches your kubernetes namespace and kubernetes labels:
 68 | 
 69 | Using eksctl:
 70 | 
 71 | `eksctl create fargateprofile --cluster <cluster_name> --name <fargate_profile_name> --namespace <kubernetes_namespace> --labels <key=value>`
 72 | 
 73 | If you would like to use the AWS Management Console, refer to this [link](https://docs.amazonaws.cn/en_us/eks/latest/userguide/fargate-profile.html#create-fargate-profile).
 74 | 
 75 | For more information on how to set up AWS Fargate prior to deployment of your applications to an EKS cluster, please refer to [this](https://docs.amazonaws.cn/en_us/eks/latest/userguide/fargate-getting-started.html) tutorial.
 76 | 
 77 | ### Create a kubernetes secret to store Contrast Agent configurations
 78 | 
 79 | *Note - Prior to running kubectl commands, you need to make sure kubeclt can communicate with your EKS cluster.  For instructions on how to configure kubectl to your EKS cluster, refer to [this](https://docs.amazonaws.cn/en_us/eks/latest/userguide/create-kubeconfig.html) link.* 
 80 | 
 81 | 1.) Update the 'contrast_security.yaml' with your configuration details.
 82 | 
 83 | 2.) Create a kubernetes secret that houses the Contrast Security agent configuration from the 'contrast_security' file:
 84 | 
 85 | `kubectl create secret generic contrast-security --from-file=./contrast_security.yaml`
 86 | 
 87 | *Note - You need to be in the same directory that contains the 'contrast_security.yaml' file, unless you explicitly pass the file location to kubectl as above.  Make sure the namespace and/or label(s) match the AWS Fargate Profile created above.*
 88 | 
 89 | ### Deploy Webgoat to an EKS cluster via AWS Fargate
 90 | 
 91 | 1.) Make sure your EKS cluster can pull images from your ECR - more information found <ADD>
 92 | 
 93 | 2.) Find the manifests in 'kubernetes/manifests'
 94 | 
 95 | 3.) Run the following code to deploy using kubectl:
 96 | 
 97 | `kubectl apply -f webgoat-deployment.yaml,webgoat-service.yaml`
 98 | 
 99 | *Note - You need to be in the same directory that contains the manifests, unless you explicitly pass the file location to kubectl.*
100 | 
101 | ## Simple exploit (SQL Injection)
102 | 
103 | To expose a sample SQL Injection vulnerability:
104 | * login 
105 |   *  inspect the loadbalancer service you have deployed to get the IP - add '/WebGoat' to the URL 
106 |  
107 |  The result URL should be:
108 |  
109 |   `<IP ADDRESS>/WebGoat`
110 |  
111 |   *  credentials - email: webgoat, password: webgoat
112 | *  Navigate to 'Injection Flaws' >> 'String SQL Injection' on the left hand menu
113 | *  Enter the following string where the screen prompts 'Enter you last name':
114 | 
115 | `Smith`
116 |  
117 | The result will be:
118 | 
119 | ![Webgoat vulnerability UI App](/diagrams/webgoat-ui-smith.png)
120 | 
121 | Once the search functionality is exploited, the vulnerable component notifies the Contrast Security Agent of the vulnerability.
122 | 
123 | ## Contrast Security Vulnerability Results
124 | 
125 | Results from the Contrast Agent should resemble the following: 
126 |  
127 | ![Webgoat vulnerability Contrast Team Server](/diagrams/webgoat-vulnerabilities-ss.png)
128 | 
129 | *Note - More information on Contrast Security can be found [here](www.contrastsecurity.com)*
130 | 


--------------------------------------------------------------------------------