https://github.com/andifalk/bookmark-service

A secure spring boot based java service providing an API to store and retrieve browser bookmarks
https://github.com/andifalk/bookmark-service

Last synced: about 1 month ago
JSON representation

A secure spring boot based java service providing an API to store and retrieve browser bookmarks

• Host: GitHub
• URL: https://github.com/andifalk/bookmark-service
• Owner: andifalk
• License: apache-2.0
• Created: 2021-05-14T16:23:46.000Z (almost 4 years ago)
• Default Branch: main
• Last Pushed: 2024-06-10T21:15:20.000Z (11 months ago)
• Last Synced: 2025-01-20T07:19:10.810Z (3 months ago)
• Language: HTML
• Size: 3.39 MB
• Stars: 18
• Watchers: 3
• Forks: 9
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# Bookmark Service Application

An insecure spring boot based java service providing an API to store and retrieve browser bookmarks for different users.

* __main__ branch: The insecure variant of this application with lots of security tests covering several topics of the OWASP Top 10 (2021), and the OWASP ASVS 4.x (only secured via basic authentication and form based login without any authorization checks)

* __secure__ branch: The secure variant (all security tests should be green). Still using basic authentication and form based login, but including authorization checks.

## REST API

This application provides a basic bookmark administration (like in your web browsers).

You may ask for bookmarks of user Bruce Wayne like this:

```

http :9090/api/bookmarks?userid=c9caa4d1-5ad7-4dd1-8bd1-91b8bc5b9a48 --auth [email protected]:wayne

```

You could also just try to access bookmarks of another user (which is actually broken authz):

```

http :9090/api/bookmarks?userid=c9caa4d1-5ad7-4dd1-8bd1-91b8bc5b9a48 --auth [email protected]:banner

```

Or just ask for the complete list of users (which you usually should not provide to all users!!!)

```

http :9090/api/users --auth [email protected]:wayne

```

## Security Tests

The security tests include the following types:

* Unit Test Layer

  * Static Code Analysis using SpotBugs & SonarQube (both using the respective Gradle Plugins)

  * OWASP Dependency Check

  * Security Architecture Tests (using [ArchUnit](https://www.archunit.org/))

  * Input Validation Tests

  * Broken Authentication Tests

* Integration Test Layer    

  * Security Misconfiguration Tests

  * Injection (SQL Injection) Tests

  * Broken Access Control Tests

* UI/Workflow Layer

  * Dynamic Security Tests using OWASP Zap

### Static application security testing

#### SemGrep

To check the project with the OSS semgrep scanner just perform this command inside the project root folder:

```shell

semgrep scan --config auto

```

  

#### SonarQube

To use SonarQube for security analysis the easiest way is the provided docker container.

Just follow the [Getting Started Guide](https://docs.sonarqube.org/latest/setup/get-started-2-minutes/) using the described way using a docker container. Then continue the same guide with _Analyzing a Project_.

After you have configured the project in SonarQube you can trigger the project analysis by issuing the following command:

```

./mvnw sonar:sonar -Dsonar.projectKey=PROJECT_KEY 

                             -Dsonar.projectName='PROJECT_NAME' 

                             -Dsonar.host.url=http://localhost:9000 

                             -Dsonar.token=THE_GENERATED_TOKEN  

```

Please replace _PROJECT_KEY_ and _PROJECT_TOKEN_ with your own values.