{"id":24678744,"url":"https://github.com/contrast-security-oss/demo-netflicks","last_synced_at":"2025-10-08T11:31:28.489Z","repository":{"id":44089360,"uuid":"305447578","full_name":"Contrast-Security-OSS/demo-netflicks","owner":"Contrast-Security-OSS","description":null,"archived":false,"fork":false,"pushed_at":"2025-07-23T15:56:40.000Z","size":90962,"stargazers_count":6,"open_issues_count":3,"forks_count":15,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-09-30T18:59:59.584Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Contrast-Security-OSS.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-10-19T16:33:06.000Z","updated_at":"2025-01-30T19:18:33.000Z","dependencies_parsed_at":"2025-07-23T12:18:59.175Z","dependency_job_id":null,"html_url":"https://github.com/Contrast-Security-OSS/demo-netflicks","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/Contrast-Security-OSS/demo-netflicks","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fdemo-netflicks","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fdemo-netflicks/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fdemo-netflicks/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fdemo-netflicks/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Contrast-Security-OSS","download_url":"https://codeload.github.com/Contrast-Security-OSS/demo-netflicks/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fdemo-netflicks/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278934167,"owners_count":26071364,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-08T02:00:06.501Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-01-26T13:18:08.680Z","updated_at":"2025-10-08T11:31:23.638Z","avatar_url":"https://github.com/Contrast-Security-OSS.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Netflicks: A deliberately insecure .NET Core web application\n\nThis is a .NET 6.0 demo application, based on https://github.com/LeviHassel/.net-flicks with added vulnerabilities. \n\n**Warning**: The computer running this application will be vulnerable to attacks, please take appropriate precautions.\n\nThe credentials for admin access are admin@dotnetflicks.com / p@ssWORD471\n\n# Running in Docker\n\nYou can run Netflicks within a Docker container, tested on OSX. It uses a separate sql server as specified within docker-compose.yml (you should not need to edit this file). The agent is added automatically during the Docker build process.\n\n1. Place a .NET specific `contrast_security.yaml` file into the application's root folder.\n1. Build the Netflicks container image using:\n    * for x64 use `docker build -f Dockerfile.contrast . -t netflicks:1.0`\n    * for ARM64 use `docker build -f Dockerfile.contrast.arm . -t netflicks:1.0`\n1. Run the containers using:\n    * for x64 use `docker-compose -f docker-compose-x64.yml up`\n    * for ARM64 use `docker-compose -f docker-compose-arm.yml up`\n\n# Running in Azure (Azure App Service):\n\n## Pre-Requisites\n\n1. Place a .NET specific `contrast_security.yaml` file into the application's root folder.\n1. Install Terraform from here: https://www.terraform.io/downloads.html or using `brew update \u0026\u0026 brew install terraform`.\n1. Install PyYAML using `pip3 install PyYAML`.\n1. Install the Azure cli tools using `brew update \u0026\u0026 brew install azure-cli`.\n1. Log into Azure to make sure you cache your credentials using `az login`.\n1. Edit the [variables.tf](variables.tf) file (or add a terraform.tfvars) to add your initials, preferred Azure location, app name, server name and environment.\n1. Run `(cd terraform \u0026\u0026 terraform init)` to download the required plugins.\n1. Run `(cd terraform \u0026\u0026 terraform plan)` and check the output for errors.\n1. Run `(cd terraform \u0026\u0026 terraform apply)` to build the infrastructure that you need in Azure, this will output the web address for the application. If you receive a HTTP 503 error when visiting the app then wait 30 seconds for the application to initialize.\n1. Run `(cd terraform \u0026\u0026 terraform destroy)` when you would like to stop the app service and release the resources.\n\nThe terraform file will automatically add the Contrast .NET Azure site extension, so you will always get the latest version.\n\n# Running automated tests\n\nThere is a test script which you can use to reveal all the vulnerabilities which requires node and playwright.\n\n1. Install Node, NPM and Chrome.\n1. Run `BASEURL=\u003curl\u003e npx playwright test`.\n\n# Deploying a new version\n\nIf you change the application you should run the Publish option in Visual Studio which will update the content in deploy folder. Zip this up into an archive called deploy.zip. \n\n# Vulnerabilities\n\n1. SQL Injection from \"Search\" Parameter on \"/Movie\" page\n1. Cross-Site Scripting from \"Email\" Parameter on \"/Account/ForgotPasswordConfirmation\" page\n1. XML External Entity Injection (XXE) from \"Biography\" Parameter on \"/Person/Edit/{n}\" page\n1. Path Traversal from \"Email\" Parameter on \"/Account/Login\" page\n1. Path Traversal from \"PhoneNumber\" Parameter on \"/Manage/Index\" page\n1. OS Command Injection from \"Email\" Parameter on \"/Account/Login\" page\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontrast-security-oss%2Fdemo-netflicks","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcontrast-security-oss%2Fdemo-netflicks","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontrast-security-oss%2Fdemo-netflicks/lists"}