This is a .NET 6.0 demo application, based on https://github.com/LeviHassel/.net-flicks with added vulnerabilities.
Warning: The computer running this application will be vulnerable to attacks, please take appropriate precautions.
The credentials for admin access are [email protected] / p@ssWORD471
You can run Netflicks within a Docker container, tested on OSX. It uses a separate sql server as specified within docker-compose.yml (you should not need to edit this file). The agent is added automatically during the Docker build process.
- Place a .NET specific
contrast_security.yaml
file into the application's root folder. - Build the Netflicks container image using:
- for x64 use
docker build -f Dockerfile.contrast . -t netflicks:1.0
- for ARM64 use
docker build -f Dockerfile.contrast.arm . -t netflicks:1.0
- for x64 use
- Run the containers using:
- for x64 use
docker-compose -f docker-compose-x64.yml up
- for ARM64 use
docker-compose -f docker-compose-arm.yml up
- for x64 use
- Place a .NET specific
contrast_security.yaml
file into the application's root folder. - Install Terraform from here: https://www.terraform.io/downloads.html or using
brew update && brew install terraform
. - Install PyYAML using
pip3 install PyYAML
. - Install the Azure cli tools using
brew update && brew install azure-cli
. - Log into Azure to make sure you cache your credentials using
az login
. - Edit the variables.tf file (or add a terraform.tfvars) to add your initials, preferred Azure location, app name, server name and environment.
- Run
(cd terraform && terraform init)
to download the required plugins. - Run
(cd terraform && terraform plan)
and check the output for errors. - Run
(cd terraform && terraform apply)
to build the infrastructure that you need in Azure, this will output the web address for the application. If you receive a HTTP 503 error when visiting the app then wait 30 seconds for the application to initialize. - Run
(cd terraform && terraform destroy)
when you would like to stop the app service and release the resources.
The terraform file will automatically add the Contrast .NET Azure site extension, so you will always get the latest version.
There is a test script which you can use to reveal all the vulnerabilities which requires node and playwright.
- Install Node, NPM and Chrome.
- Run
BASEURL=<url> npx playwright test
.
If you change the application you should run the Publish option in Visual Studio which will update the content in deploy folder. Zip this up into an archive called deploy.zip.
- SQL Injection from "Search" Parameter on "/Movie" page
- Cross-Site Scripting from "Email" Parameter on "/Account/ForgotPasswordConfirmation" page
- XML External Entity Injection (XXE) from "Biography" Parameter on "/Person/Edit/{n}" page
- Path Traversal from "Email" Parameter on "/Account/Login" page
- Path Traversal from "PhoneNumber" Parameter on "/Manage/Index" page
- OS Command Injection from "Email" Parameter on "/Account/Login" page