📦
secure-kubernetes-development
  • README
  • Setup
    • Requirements and Setup
      • Setup Google GKE
  • Linux Security Basics
    • Linux & Container Basics
  • Application Security
    • Sample Spring Boot Application
  • Container Security
    • Root Container
    • Rootless Container
    • Rootless Container with JIB
    • Rootless Container with Paketo
  • Kubernetes Security
    • Initial Unsafe K8s Deployment
    • Safe K8s Deployment with Pod Security Context
    • Safe K8s Deployment with Pod Security Admission
    • Safe K8s Deployment with Open Policy Agent
  • Further Resources
    • Kubernetes Authorization (RBAC)
    • Helpful Tools for Container & K8s Security
    • List of Further Resources
Powered by GitBook
On this page
  • Run the application
  • Sample command client requests
  • Httpie
  • Curl
  • Sample browser requests
  • Build process
  • Next

Was this helpful?

  1. Application Security

Sample Spring Boot Application

PreviousLinux & Container BasicsNextRoot Container

Last updated 3 years ago

Was this helpful?

This is the initial demo application that will be used for showing all security patterns when deploying and running this in Kubernetes.

This application provides two REST APIs:

  • Greetings API

    • GET : Shows greeting with configured default message

    • GET : Shows greeting with custom message

  • Actuator API

    • Exposes all available of Spring Boot (including sensitive ones)

The application is kept simple by intention to focus on the security parts instead of having to describe a complex use case model.

Run the application

Just start it by running com.example.app.Step1App.

Sample command client requests

Httpie

This should return the default greeting:

http localhost:8080

This should return a custom greeting:

http localhost:8080 "message==Test"

Curl

This should return the default greeting:

curl http://localhost:8080

This should return a custom greeting:

curl http://localhost:8080\?message\=Test

Sample browser requests

By using the browser we can try to put in some cross-site scripting (XSS) snippets into the message parameter.

Try to display a popup via javascript:

Try to redirect to Google search via XSS:

```http request
http://localhost:8080/?message=<script>document.location="http://www.google.com/"</script>

With the default code XSS is not working as there are multiple defense mechanisms in place:

  • Input validation only permits maximum length of 30 for url message parameter

  • The application is safe against interpreting the reflected greeting by using output escaping (Html AND javascript)

  • Content-Type is set to application/json

Note: If you disable all these precautions then you should see XSS working. Please do not disable those precautions in productive code !!!

Build process

The gradle build for this application includes specific security relevant parts:

  • SpotBugs (with Security Add-On): Automatically does static code analysis for security issues

  • OWASP Dependency Check: Automatically checks all gradle dependencies for known vulnerabilities

Next

```http request alert(&apos;XSS&apos;)

localhost:8080
localhost:8080?message=test
actuator endpoints
http://localhost:8080/?message=
Next: Default Container