From b56c5bb000e8c606581768ed318ac232a20b5b0c Mon Sep 17 00:00:00 2001 From: ruslan Date: Fri, 12 Jun 2026 10:18:44 +0300 Subject: [PATCH 1/3] feat(lab1): juice shop deploy + PR template + triage report --- .github/PULL_REQUEST_TEMPLATE.md | 0 submissions/lab1.md | 87 ++++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+) create mode 100644 .github/PULL_REQUEST_TEMPLATE.md create mode 100644 submissions/lab1.md diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 000000000..e69de29bb diff --git a/submissions/lab1.md b/submissions/lab1.md new file mode 100644 index 000000000..ef9ea7ddf --- /dev/null +++ b/submissions/lab1.md @@ -0,0 +1,87 @@ +# Lab 1 — Submission + +## Triage Report: OWASP Juice Shop + +### Scope & Asset +- Asset: OWASP Juice Shop (local lab instance) +- Image: `bkimminich/juice-shop:v20.0.0` +- Image digest: `sha256:fd58bdc9745416afce8184ee0666278a436574633ea7880365153a63bfd418b0` +- Host OS: Windows 11 +- Docker version: 29.5.3 + +### Deployment Details +- Run command used: `docker run -d --name juice-shop -p 127.0.0.1:3000:3000 bkimminich/juice-shop:v20.0.0` +- Access URL: http://127.0.0.1:3000 +- Network exposure: 127.0.0.1 only? [x] Yes +- Container restart policy: default `no` + +### Health Check +- HTTP code on `/`: 200 +- API check (`/api/Products`): returns 46 products, status "success" +- Application version: `{"version":"20.0.0"}` +- Container uptime: Up ~2 minutes, port 127.0.0.1:3000->3000/tcp + +### Initial Surface Snapshot (from browser exploration) +- Login/Registration visible: [x] Yes — Account menu in top-right corner +- Product listing/search present: [x] Yes — 46 products displayed on homepage +- Admin or account area discoverable: [x] Yes — Account menu visible, admin area likely accessible via /administration +- Client-side errors in DevTools console: [ ] No errors observed +- Pre-populated local storage / cookies: `loglevel: DEBUG` present in Local Storage + +### Security Headers (Quick Look) + +```text +Access-Control-Allow-Origin: * +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +Feature-Policy: payment 'self' +Content-Type: text/html; charset=UTF-8 +Cache-Control: public, max-age=0 +``` + +Which of these are MISSING: +- [x] `Content-Security-Policy` — MISSING +- [x] `Strict-Transport-Security` — MISSING +- [ ] `X-Content-Type-Options: nosniff` — present +- [ ] `X-Frame-Options` — present (SAMEORIGIN) + +### Top 3 Risks Observed + +1. **Missing Content-Security-Policy** — The absence of CSP means the browser has no +restrictions on which scripts or resources can be loaded. This makes the app highly +vulnerable to Cross-Site Scripting (XSS) attacks where an attacker can inject malicious +scripts into pages viewed by other users. Maps to **A03:2025 – Injection**. + +2. **Overly Permissive CORS (Access-Control-Allow-Origin: \*)** — The wildcard CORS header +allows any external website to make requests to the API and read the responses. Combined +with the unauthenticated product API endpoints, this exposes business data to any origin. +Maps to **A05:2025 – Security Misconfiguration**. + +3. **Missing Strict-Transport-Security (HSTS)** — Without HSTS, the app does not instruct +browsers to always use HTTPS. In a real deployment this would allow downgrade attacks +where an attacker intercepts HTTP traffic. Maps to **A02:2025 – Cryptographic Failures**. + +--- + +## PR Template Setup + +- File: `.github/PULL_REQUEST_TEMPLATE.md` +- Sections included: Goal / Changes / Testing / Artifacts & Screenshots +- Checklist items: + - [ ] Title is clear (`feat(labN): ` style) + - [ ] No secrets/large temp files committed + - [ ] Submission file at `submissions/labN.md` exists +- Auto-fill verified: [ ] Yes — PR description showed my template + +--- + +## GitHub Community + +- Starred: course repository and `simple-container-com/api` +- Following: professor @Cre-eD, TAs @Naghme98 and @pierrepicaud, and 3+ classmates + +Starring repositories serves as a public bookmark system — it helps you track interesting +projects and signals trust and popularity to the wider community, which encourages maintainers +to keep developing their work. Following developers lets you stay updated on their activity, +discover new tools through their contributions, and build professional connections that extend +beyond the classroom into the industry. From 21513406cb9d3c1156d2af1dc50ec10b1fc4280e Mon Sep 17 00:00:00 2001 From: ruslan Date: Fri, 12 Jun 2026 10:26:30 +0300 Subject: [PATCH 2/3] feat(lab1): add CI smoke test workflow --- .github/workflows/lab1-smoke.yml | 36 ++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/lab1-smoke.yml diff --git a/.github/workflows/lab1-smoke.yml b/.github/workflows/lab1-smoke.yml new file mode 100644 index 000000000..83064a99e --- /dev/null +++ b/.github/workflows/lab1-smoke.yml @@ -0,0 +1,36 @@ +name: Lab1 Smoke Test + +on: + pull_request: + branches: + - main + +permissions: + contents: read + +jobs: + smoke-test: + runs-on: ubuntu-latest + + steps: + - name: Pull and start Juice Shop + run: | + docker run -d --name juice-shop \ + -p 127.0.0.1:3000:3000 \ + bkimminich/juice-shop:v20.0.0 + + - name: Wait for Juice Shop to be ready + run: | + for i in $(seq 1 30); do + curl --silent --fail http://localhost:3000/rest/admin/application-version > /dev/null && echo "Juice Shop is up!" && exit 0 + echo "Attempt $i failed, retrying in 2s..." + sleep 2 + done + echo "Juice Shop failed to start" + exit 1 + + - name: Verify HTTP 200 + run: | + STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:3000) + echo "HTTP status: $STATUS" + [ "$STATUS" = "200" ] || exit 1 From 9b7ceed37f8d6fb6f8e6441042d5d7c16e693107 Mon Sep 17 00:00:00 2001 From: ruslan Date: Fri, 12 Jun 2026 10:37:44 +0300 Subject: [PATCH 3/3] feat(lab1): add bonus CI smoke test results --- submissions/lab1.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/submissions/lab1.md b/submissions/lab1.md index ef9ea7ddf..36e742f73 100644 --- a/submissions/lab1.md +++ b/submissions/lab1.md @@ -85,3 +85,14 @@ projects and signals trust and popularity to the wider community, which encourag to keep developing their work. Following developers lets you stay updated on their activity, discover new tools through their contributions, and build professional connections that extend beyond the classroom into the industry. + +## Bonus: CI Smoke Test + +- Workflow file: `.github/workflows/lab1-smoke.yml` +- Trigger: `pull_request` on main +- Run URL (green): https://github.com/ruslanglvv/DevSecOps-Intro/actions/runs/27401690324/job/80981014870?pr=1 +- Workflow run duration: ~50s +- Curl response excerpt: +``` + HTTP status: 200 +```