Unguard is an insecure cloud-native microservices demo application.
Unguard
Unguard (🇦🇹 [ˈʊnˌɡuːat] like disquieting, 🇫🇷 [ãˈɡard] like the fencing command) is an insecure cloud-native microservices demo application. It consists of eight app services, a load generator, and two databases. Unguard encompasses vulnerabilities like server-side request forgery (SSRF), Command/SQL injection, JWT key confusion, remote code execution and many more.
The application is a web-based Twitter clone where users can register/login, post text, URLs and images and follow users. Unguard also features fake ads, a possibility to edit your biography and manage your membership.
Note
This product is not officially supported by Dynatrace
🖼️ Screenshots
| Timeline | User profile | |---------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------| |
|
|
🏗️ Architecture
Unguard is composed of twelve microservices written in different languages that talk to each other over REST.
| Service | Language | Service Account | Description | |----------------------------------------------------------------|---------------------|-----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | envoy-proxy | | default | Routes to the frontend or the ad-service and also provides a vulnerable health endpoint. | | frontend | Next.js | default | Provides a modern frontend to allow the user to interact with the application. Includes an API that talks with the other microservices. | | ad-service | .NET 5 | default | Provide CRUD operation for images and serves a HTML page which displays an image like an ad. | | microblog-service | Java Spring | default | Serves a REST API for the frontend and saves data into redis (explicitly calls vulnerable functions of the jackson-databind library 2.9.9). | | proxy-service | Java Spring | unguard-proxy | Serves REST API for proxying requests from frontend (vulnerable to SSRF; no sanitization on the entered URL). | | profile-service | Java Spring | default | Serves REST API for updating biography information in a H2 database; vulnerable to SQL injection attacks | | membership-service | .NET 7 | default | Serves REST API for updating user memberships in a MariaDB; vulnerable to SQL injection attacks | | like-service | PHP | default | Serves REST API for adding likes to posts using MariaDB; vulnerable to SQL injection attacks | | user-auth-service | Node.js Express | default | Serves REST API for authenticating users with JWT tokens (vulnerable to JWT key confusion and SQL injection attacks). | | status-service | Go | unguard-status | Serves REST API for Kubernetes deployments health, as well as a user and user role list (vulnerable to SQL injection) | | payment-service | Python Flask | default | Serves REST API for adding and retrieving credit card payment information associated with a user. | | rag-service | Python FastAPI | default | Retrieval Augmented Generation (RAG) service that providing a REST API for spam classification based on a Knowledge Base (KB). Allows ingesting new data into the KB (vulnerable to data poisoning attacks) | | feedback-ingestion-service | Java Spring Boot | default | Collects user feedback on the spam predictions of the RAG service. This feedback is then ingested into the RAG service's Knowledge Base in regular intervals. | | jaeger | | default | The Jaeger stack for distributed tracing. | | mariadb | | unguard-mariadb | Relational database that holds user and token data. | | redis | | default | Key-value store that holds all user data (except authentication-related stuff). | | user-simulator | Node.js (Puppeteer) | default | Creates synthetic user traffic by simulating an Unguard user using a real browser. Acts as a load generator. | | malicious-load-generator | | default | Malicious load generator that makes CMD, JNDI, and SQL injections. | | ollama | | default | Open-source local LLM and embeddings model that can be deployed to be used by the RAG service. |
Quickstart
To quickly get started with Unguard, install the Unguard Helm chart using the Helm package manager
Warning \
Unguard is insecure by design and a careless installation will leave you exposed to severe security vulnerabilities. Make sure to restrict access and/or run it in a sandboxed environment.
- Add the bitnami repository for the MariaDB dependency
helm repo add bitnami https://charts.bitnami.com/bitnami
- Install MariaDB
helm install unguard-mariadb bitnami/mariadb \
--version 11.5.7 \
--set primary.persistence.enabled=false \
--set image.repository=bitnamilegacy/mariadb \
--wait --namespace unguard --create-namespace
- Install Unguard
helm install unguard oci://ghcr.io/dynatrace-oss/unguard/chart/unguard --wait --namespace unguard --create-namespace
To customize your Unguard chart installation, see the chart README
🖥️ Local Development
See the Development Guide on how to set up and develop Unguard on a local Kubernetes cluster.
☁️ Kubernetes Deployment
See the Unguard Chart README on how to install Unguard in your Kubernetes cluster using the Helm package manager.
✨ Features
- Kubernetes/AWS: The app is designed to run on a local
- Jaeger Tracing: Most services are instrumented using trace interceptors.
- Skaffold: Unguard is deployed to Kubernetes with a single command using Skaffold.
- Synthetic Load Generation: The application comes with a deployment that creates traffic using
- Exploits: Different automated attack scenarios like JWT key confusion
- Monitoring: Dynatrace monitoring by
➕ Additional Deployment Options
- Tracing and Jaeger: See these instructions
- Malicious Load Generator: See these instructions
Hummingbird icon by Danil Polshin from the Noun Project.