Home

Awesome

Unguard Logo Unguard

Unguard (🇦🇹 [ˈʊnˌɡuːat] like disquieting, 🇫🇷 [ãˈɡard] like the fencing command) is an insecure cloud-native microservices demo application. It consists of eight app services, a load generator, and two databases. Unguard encompasses vulnerabilities like server-side request forgery (SSRF), Command/SQL injection, JWT key confusion, remote code execution and many more.

The application is a web-based Twitter clone where users can register/login, post text, URLs and images and follow users. Unguard also features fake ads, a possibility to edit your biography and manage your membership.

Note This product is not officially supported by Dynatrace

🖼️ Screenshots

TimelineUser profile
Screenshot of the timelineScreenshot of a user profile

🏗️ Architecture

Unguard is composed of eight microservices written in different languages that talk to each other over REST.

Unguard Architecture

ServiceLanguageService AccountDescription
envoy-proxydefaultRoutes to the frontend or the ad-service and also provides a vulnerable health endpoint.
frontendNode.js ExpressdefaultServes HTML to the user to interact with the application.
ad-service.NET 5defaultProvide CRUD operation for images and serves a HTML page which displays an image like an ad.
microblog-serviceJava SpringdefaultServes a REST API for the frontend and saves data into redis (explicitly calls vulnerable functions of the jackson-databind library 2.9.9).
proxy-serviceJava Springunguard-proxyServes REST API for proxying requests from frontend (vulnerable to SSRF; no sanitization on the entered URL).
profile-serviceJava SpringdefaultServes REST API for updating biography information in a H2 database; vulnerable to SQL injection attacks
membership-service.NET 7defaultServes REST API for updating user memberships in a MariaDB; vulnerable to SQL injection attacks
like-servicePHPdefaultServes REST API for adding likes to posts using MariaDB; vulnerable to SQL injection attacks
user-auth-serviceNode.js ExpressdefaultServes REST API for authenticating users with JWT tokens (vulnerable to JWT key confusion).
status-serviceGounguard-statusServes REST API for Kubernetes deployments health, as well as a user and user role list (vulnerable to SQL injection)
payment-servicePython FlaskdefaultServes REST API for adding and retrieving credit card payment information associated with a user.
jaegerdefaultThe Jaeger stack for distributed tracing.
mariadbunguard-mariadbRelational database that holds user and token data.
redisdefaultKey-value store that holds all user data (except authentication-related stuff).
user-simulatorNode.js (Puppeteer)defaultCreates synthetic user traffic by simulating an Unguard user using a real browser. Acts as a load generator.
malicious-load-generatordefaultMalicious load generator that makes CMD, JNDI, and SQL injections.

Quickstart

To quickly get started with Unguard, install the Unguard Helm chart using the Helm package manager

Warning
Unguard is insecure by design and a careless installation will leave you exposed to severe security vulnerabilities. Make sure to restrict access and/or run it in a sandboxed environment.

  1. Add the bitnami repository for the MariaDB dependency

     helm repo add bitnami https://charts.bitnami.com/bitnami
    
  2. Install MariaDB

    helm install unguard-mariadb bitnami/mariadb --version 11.5.7 --set primary.persistence.enabled=false --wait --namespace unguard --create-namespace
    
  3. Install Unguard

    helm install unguard  oci://ghcr.io/dynatrace-oss/unguard/chart/unguard --wait --namespace unguard --create-namespace
    

To customize your Unguard chart installation, see the chart README

🖥️ Local Development

See the Development Guide on how to set up and develop Unguard on a local Kubernetes cluster.

☁️ Kubernetes Deployment

See the Unguard Chart README on how to install Unguard in your Kubernetes cluster using the Helm package manager.

✨ Features

➕ Additional Deployment Options


Hummingbird icon by Danil Polshin from the Noun Project.