Add Additional Educational Security Vulnerabilities for Demo Enhancement

Falko Sieverdingrequested to merge
feature/additional-educational-vulnerabilities into main

Summary

This MR implements 6 additional educational security vulnerabilities to enhance the DevSecOps demo application, providing a comprehensive security testing playground for GitLab's security scanning capabilities.

New Vulnerabilities Added

Server-Side Request Forgery (SSRF) - CWE-918

  • Route: /fetch-url
  • Allows fetching arbitrary URLs without validation
  • Demonstrates internal service access risks and cloud metadata access

Information Disclosure - CWE-200

  • Route: /debug-info
  • Exposes environment variables, system paths, and configuration
  • High demo value for showing information leakage

Insecure Deserialization - CWE-502

  • Route: /load-data
  • Unsafe pickle deserialization vulnerability
  • Critical severity - allows arbitrary code execution

XML External Entity (XXE) - CWE-611

  • Route: /parse-xml
  • Unsafe XML parsing with external entity resolution
  • Classic vulnerability with excellent learning value

Insecure Direct Object Reference (IDOR) - CWE-639

  • Route: /user/<user_id>
  • Missing authorization checks for user profile access
  • Common web application vulnerability

Race Condition - CWE-362

  • Route: /increment-counter
  • File-based counter with time-of-check-to-time-of-use vulnerability
  • Demonstrates concurrency issues

Key Features

  • Educational Focus: Each vulnerability includes comprehensive documentation explaining the security issue, potential impact, and attack vectors
  • CWE References: All vulnerabilities properly tagged with Common Weakness Enumeration identifiers
  • Demo-Ready: Interactive routes with example payloads and clear explanations
  • Scanner Compatible: Designed to be detected by GitLab's security scanning tools

Testing

All new routes are functional and ready for security testing:

  • SSRF endpoint accepts URL input and demonstrates internal service access
  • Information disclosure shows sensitive system data
  • Deserialization endpoint uses pickle with base64 encoding
  • XXE parser accepts XML with external entity resolution
  • IDOR allows enumeration of user profiles without authorization
  • Race condition counter demonstrates concurrent access issues

Test plan

  • Verify all 6 new routes are accessible and functional
  • Test that GitLab security scanners detect the new vulnerabilities
  • Confirm educational documentation is clear and comprehensive
  • Validate that existing functionality remains intact
  • Ensure pipeline passes with expected security findings

Closes #28

🤖 Generated with Claude Code

Merge request reports