Share
## https://sploitus.com/exploit?id=DE552D9B-4689-5BE9-A76E-DB32DF068497
# Project 2: Microservices with Infrastructure as Code
โ ๏ธ **WARNING: This project contains intentional security vulnerabilities for demonstration purposes only. DO NOT USE IN PRODUCTION.**
## Purpose
This project demonstrates Lacework CNAPP Code Security capabilities across multiple technologies:
- **SAST** (Static Application Security Testing) - Code-level vulnerabilities in Go and Java
- **SCA** (Software Composition Analysis) - Vulnerable dependencies
- **Secrets Detection** - Hardcoded credentials and API keys
- **IaC Scanning** - Terraform, Dockerfiles, and Kubernetes security misconfigurations
## Project Structure
```
project-2-microservices-iac/
โโโ go-service/
โ โโโ main.go # Go microservice with SAST vulnerabilities
โ โโโ go.mod # Go dependencies
โ โโโ go.sum
โโโ java-service/
โ โโโ pom.xml # Maven dependencies with known CVEs
โ โโโ src/main/java/com/demo/
โ โโโ UserService.java # Java service with vulnerabilities
โโโ terraform/
โ โโโ main.tf # Terraform with AWS security misconfigurations
โโโ k8s/
โ โโโ deployment.yaml # Kubernetes manifests with security issues
โโโ docker/
โ โโโ Dockerfile.go # Insecure Dockerfile for Go service
โ โโโ Dockerfile.java # Insecure Dockerfile for Java service
โโโ README.md
```
## Intentional Vulnerabilities
### SAST Vulnerabilities (Code-Level)
#### Go Service:
1. **SQL Injection** - Direct string concatenation in SQL queries
2. **Command Injection** - Unsafe command execution
3. **Unsafe Deserialization** - JSON deserialization without validation
4. **Exposed Secrets** - Hardcoded credentials in code
#### Java Service:
1. **SQL Injection** - Direct string concatenation in SQL queries
2. **Command Injection** - Runtime.exec() with user input
3. **Unsafe Deserialization** - Jackson deserialization without validation
4. **Exposed Secrets** - Hardcoded credentials in code
### SCA Vulnerabilities (Dependencies)
#### Java Dependencies:
- jackson-databind 2.9.10.1 (outdated, known CVEs)
- spring-web 5.2.0.RELEASE (outdated, known CVEs)
- commons-collections4 4.1 (outdated, known CVEs)
- mysql-connector-java 5.1.47 (outdated, known CVEs)
- log4j-core 2.14.1 (outdated, known CVEs including Log4Shell)
### Secrets Detection
Hardcoded credentials found in:
- `go-service/main.go` - AWS keys, database passwords, API tokens
- `java-service/UserService.java` - AWS keys, database passwords, API tokens
- `terraform/main.tf` - AWS credentials, database passwords
- `k8s/deployment.yaml` - Environment variables with secrets
- `docker/Dockerfile.go` - Environment variables with secrets
- `docker/Dockerfile.java` - Environment variables with secrets
### IaC Vulnerabilities
#### Terraform (`terraform/main.tf`):
1. Hardcoded AWS credentials in provider
2. S3 bucket with public access enabled
3. No encryption on S3 bucket
4. Security group with overly permissive rules (0.0.0.0/0)
5. EC2 instance without encryption at rest
6. Public IP enabled on EC2 instance
7. IAM role with wildcard permissions (*)
8. RDS instance publicly accessible
9. RDS instance without encryption
10. Weak database password
11. No backup retention on RDS
#### Kubernetes (`k8s/deployment.yaml`):
1. Running containers as root user
2. Privileged containers enabled
3. All capabilities added to containers
4. No resource limits defined
5. Hardcoded secrets in environment variables
6. Mounting host filesystem (/)
7. Using default service account
8. ClusterRole with excessive permissions (wildcards)
9. Service exposed as LoadBalancer (public)
10. ClusterRoleBinding with default service account
#### Dockerfiles:
1. Running as root user
2. Outdated base images with known CVEs
3. Secrets in environment variables
4. Exposing multiple ports unnecessarily
5. No health check defined
6. Copying sensitive files into image
7. Installing unnecessary packages
## Running the Services
### Go Service
```bash
cd go-service
go mod download
go run main.go
```
The service will run on `http://localhost:8080`
### Java Service
```bash
cd java-service
mvn clean package
java -jar target/java-service-1.0.0.jar
```
## Testing with Lacework CLI
To scan this project with Lacework CNAPP Code Security:
```bash
# Navigate to project directory
cd project-2-microservices-iac
# Scan IaC (Terraform, Dockerfiles, K8s)
lacework iac scan -d .
# Scan code (SAST, SCA, Secrets)
lacework sca scan . --formats=md-summary
```
## Expected Findings
When scanned with Lacework CNAPP Code Security, this project should flag:
- **SAST**: Multiple code-level security issues in Go and Java (SQL injection, command injection, etc.)
- **SCA**: Vulnerable dependencies in pom.xml (including Log4j)
- **Secrets**: Hardcoded AWS keys, API tokens, database passwords across multiple files
- **IaC**:
- Terraform misconfigurations (public S3, permissive security groups, etc.)
- Kubernetes misconfigurations (privileged containers, root user, etc.)
- Dockerfile misconfigurations (root user, secrets, outdated images)
## Demo Value
This project demonstrates:
โ
**Multi-Language SAST** - Scans both Go and Java codebases
โ
**Comprehensive IaC Scanning** - Terraform, Kubernetes, and Dockerfiles
โ
**Real-World Scenarios** - Microservices architecture with infrastructure code
โ
**Multiple Vulnerability Types** - Code vulnerabilities, dependency issues, secrets, and misconfigurations
## Notes
- All secrets and credentials in this project are fake/example values
- This project is intentionally vulnerable and should never be deployed
- Use only for Lacework CNAPP Code Security demonstration purposes