Feature/lab10

.github/pull_request_template.md

@@ -0,0 +1,16 @@
+## Goal
+
+
+## Changes
+
+
+## Testing
+
+
+## Artifacts & Screenshots
+
+
+## Checklist
+- [ ] Clear title
+- [ ] Docs updated
+- [ ] No secrets in code

labs/lab10/imports/import-nuclei-results.json.json

@@ -0,0 +1 @@
+{"minimum_severity":"Info","active":false,"verified":false,"endpoint_to_add":null,"product_type_name":"Engineering","product_name":"Juice Shop","engagement_name":"Labs Security Testing","auto_create_context":true,"deduplication_on_engagement":false,"lead":null,"push_to_jira":false,"api_scan_configuration":null,"create_finding_groups_for_all_findings":true,"test_id":4,"engagement_id":1,"product_id":1,"product_type_id":2,"statistics":{"after":{"info":{"active":20,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":20},"low":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"medium":{"active":1,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":1},"high":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"critical":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"total":{"active":21,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":21}}},"apply_tags_to_findings":false,"apply_tags_to_endpoints":false,"scan_type":"Nuclei Scan","close_old_findings":false,"close_old_findings_product_scope":false,"test":4}

labs/lab10/imports/import-semgrep-results.standard.json

@@ -0,0 +1 @@
+{"minimum_severity":"Info","active":false,"verified":false,"endpoint_to_add":null,"product_type_name":"Engineering","product_name":"Juice Shop","engagement_name":"Labs Security Testing","auto_create_context":true,"deduplication_on_engagement":false,"lead":null,"push_to_jira":false,"api_scan_configuration":null,"create_finding_groups_for_all_findings":true,"test_id":6,"engagement_id":1,"product_id":1,"product_type_id":2,"statistics":{"after":{"info":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"low":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"medium":{"active":4,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":4},"high":{"active":5,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":5},"critical":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"total":{"active":9,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":9}}},"pro":["Did you know, Pro has an automated no-code connector for Semgrep JSON Report? Try today for free or email us at hello@defectdojo.com"],"apply_tags_to_findings":false,"apply_tags_to_endpoints":false,"scan_type":"Semgrep JSON Report","close_old_findings":false,"close_old_findings_product_scope":false,"test":6}

labs/lab10/imports/import-trivy-vuln-detailed.json.json

@@ -0,0 +1 @@
+{"minimum_severity":"Info","active":false,"verified":false,"endpoint_to_add":null,"product_type_name":"Engineering","product_name":"Juice Shop","engagement_name":"Labs Security Testing","auto_create_context":true,"deduplication_on_engagement":false,"lead":null,"push_to_jira":false,"api_scan_configuration":null,"create_finding_groups_for_all_findings":true,"test_id":3,"engagement_id":1,"product_id":1,"product_type_id":2,"statistics":{"after":{"info":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"low":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"medium":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"high":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"critical":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"total":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0}}},"apply_tags_to_findings":false,"apply_tags_to_endpoints":false,"scan_type":"Trivy Operator Scan","close_old_findings":false,"close_old_findings_product_scope":false,"test":3}

labs/lab10/imports/import-zap-report-noauth.xml.json

@@ -0,0 +1 @@
+{"minimum_severity":"Info","active":false,"verified":false,"endpoint_to_add":null,"product_type_name":"Engineering","product_name":"Juice Shop","engagement_name":"Labs Security Testing","auto_create_context":true,"deduplication_on_engagement":false,"lead":null,"push_to_jira":false,"api_scan_configuration":null,"create_finding_groups_for_all_findings":true,"test_id":5,"engagement_id":1,"product_id":1,"product_type_id":2,"statistics":{"after":{"info":{"active":3,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":3},"low":{"active":5,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":5},"medium":{"active":2,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":2},"high":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"critical":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"total":{"active":10,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":10}}},"apply_tags_to_findings":false,"apply_tags_to_endpoints":false,"scan_type":"ZAP Scan","close_old_findings":false,"close_old_findings_product_scope":false,"test":5}

labs/lab10/imports/run-imports.sh

@@ -63,8 +63,8 @@ if $have_jq; then
     if [[ -z "$val" ]]; then val="$fallback"; fi
     echo "$val"
   }
-  SCAN_ZAP="${SCAN_ZAP:-$(choose_type '^ZAP' 'ZAP Scan')}"
-  SCAN_SEMGREP="${SCAN_SEMGREP:-$(choose_type '^Semgrep' 'Semgrep JSON Report')}"
+  SCAN_ZAP="${SCAN_ZAP:-$(choose_type '^ZAP Scan$' 'ZAP Scan')}"
+  SCAN_SEMGREP="${SCAN_SEMGREP:-$(choose_type '^Semgrep JSON Report$' 'Semgrep JSON Report')}"
   SCAN_TRIVY="${SCAN_TRIVY:-$(choose_type '^Trivy' 'Trivy Scan')}"
   SCAN_NUCLEI="${SCAN_NUCLEI:-$(choose_type '^Nuclei' 'Nuclei Scan')}"
   # Grype importer (commonly named "Anchore Grype")
@@ -115,7 +115,10 @@ import_scan() {
 }
 
 # Candidate paths per tool
-zap_file="labs/lab5/zap/zap-report-noauth.json"
+zap_file="labs/lab5/zap/zap-report-noauth.xml"
+if [[ ! -f "$zap_file" ]]; then
+  zap_file="labs/lab5/zap/zap-report-noauth.json"
+fi
 semgrep_file="labs/lab5/semgrep/semgrep-results.json"
 trivy_file="labs/lab4/trivy/trivy-vuln-detailed.json"
 nuclei_file="labs/lab5/nuclei/nuclei-results.json"

labs/lab10/imports/semgrep-lab10-rules.yml

@@ -0,0 +1,61 @@
+rules:
+  - id: lab10-express-open-redirect
+    languages:
+      - javascript
+      - typescript
+    severity: WARNING
+    message: Unvalidated redirect target can allow open redirect attacks.
+    patterns:
+      - pattern-either:
+          - pattern: $RES.redirect($REQ.query.$PARAM)
+          - pattern: $RES.redirect($REQ.body.$PARAM)
+          - pattern: $RES.redirect($PARAM)
+    metadata:
+      category: security
+      cwe:
+        - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
+      owasp:
+        - A01:2021 - Broken Access Control
+
+  - id: lab10-hardcoded-jwt-secret
+    languages:
+      - javascript
+      - typescript
+    severity: ERROR
+    message: Hardcoded JWT secret or signing key detected.
+    patterns:
+      - pattern-either:
+          - pattern: jwt.sign($DATA, "...", ...)
+          - pattern: jwt.verify($TOKEN, "...", ...)
+          - pattern: $SECRET = "..."
+      - metavariable-regex:
+          metavariable: $SECRET
+          regex: (?i).*(jwt|secret|key).*
+    metadata:
+      category: security
+      cwe:
+        - "CWE-798: Use of Hard-coded Credentials"
+      owasp:
+        - A07:2021 - Identification and Authentication Failures
+
+  - id: lab10-child-process-command-injection
+    languages:
+      - javascript
+      - typescript
+    severity: ERROR
+    message: User-controlled data in child_process execution can lead to command injection.
+    patterns:
+      - pattern-either:
+          - pattern: child_process.exec($CMD, ...)
+          - pattern: exec($CMD, ...)
+          - pattern: shell.exec($CMD, ...)
+      - pattern-inside: |
+          function ... (..., $REQ, ...) {
+            ...
+          }
+    metadata:
+      category: security
+      cwe:
+        - "CWE-78: OS Command Injection"
+      owasp:
+        - A03:2021 - Injection

labs/lab10/report/docker-compose-ps.txt

@@ -0,0 +1,7 @@
+NAME                               IMAGE                                                                                                COMMAND                  SERVICE        CREATED          STATUS          PORTS
+django-defectdojo-celerybeat-1     defectdojo/defectdojo-django:latest                                                                  "/wait-for-it.sh pos…"   celerybeat     37 minutes ago   Up 35 minutes   
+django-defectdojo-celeryworker-1   defectdojo/defectdojo-django:latest                                                                  "/wait-for-it.sh pos…"   celeryworker   37 minutes ago   Up 35 minutes   
+django-defectdojo-nginx-1          defectdojo/defectdojo-nginx:latest                                                                   "/entrypoint-nginx.sh"   nginx          35 minutes ago   Up 35 minutes   80/tcp, 0.0.0.0:8443->8443/tcp, [::]:8443->8443/tcp, 0.0.0.0:8081->8080/tcp, [::]:8081->8080/tcp
+django-defectdojo-postgres-1       postgres:18.3-alpine@sha256:4da1a4828be12604092fa55311276f08f9224a74a62dcb4708bd7439e2a03911         "docker-entrypoint.s…"   postgres       37 minutes ago   Up 37 minutes   5432/tcp
+django-defectdojo-uwsgi-1          defectdojo/defectdojo-django:latest                                                                  "/wait-for-it.sh pos…"   uwsgi          37 minutes ago   Up 35 minutes   
+django-defectdojo-valkey-1         valkey/valkey:9.0.3-alpine@sha256:84c96f47ebe197e635cd3ddbe3ab74e8bdf783cf3befbfb1c36387275c1cd5d5   "docker-entrypoint.s…"   valkey         37 minutes ago   Up 37 minutes   6379/tcp

labs/lab10/report/dojo-report.html

@@ -0,0 +1,62 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <title>DefectDojo Lab 10 Report - Juice Shop</title>
+  <style>
+    body { font-family: Arial, sans-serif; margin: 32px; color: #202124; line-height: 1.45; }
+    h1, h2 { color: #1f3a5f; }
+    table { border-collapse: collapse; width: 100%; margin: 12px 0 24px; }
+    th, td { border: 1px solid #ccd2d8; padding: 8px 10px; text-align: left; }
+    th { background: #eef3f8; }
+    .meta { color: #5f6368; }
+  </style>
+</head>
+<body>
+  <h1>DefectDojo Lab 10 Report - Juice Shop</h1>
+  <p class="meta">Captured on 2026-04-27 from local DefectDojo at http://localhost:8081.</p>
+
+  <h2>Executive Summary</h2>
+  <p>The Labs Security Testing engagement contains 40 active findings after importing Nuclei, ZAP, Semgrep, and Trivy scan outputs. The current baseline has no mitigated or verified findings yet, so this report represents the starting point for vulnerability management and response.</p>
+
+  <h2>Severity Mix</h2>
+  <table>
+    <tr><th>Severity</th><th>Active</th><th>Verified</th><th>Mitigated</th></tr>
+    <tr><td>Critical</td><td>0</td><td>0</td><td>0</td></tr>
+    <tr><td>High</td><td>5</td><td>0</td><td>0</td></tr>
+    <tr><td>Medium</td><td>7</td><td>0</td><td>0</td></tr>
+    <tr><td>Low</td><td>5</td><td>0</td><td>0</td></tr>
+    <tr><td>Informational</td><td>23</td><td>0</td><td>0</td></tr>
+  </table>
+
+  <h2>Findings by Tool</h2>
+  <table>
+    <tr><th>Tool</th><th>Imported Findings</th><th>Notes</th></tr>
+    <tr><td>Nuclei</td><td>21</td><td>Mostly informational detections plus one medium Prometheus metrics exposure.</td></tr>
+    <tr><td>ZAP</td><td>10</td><td>Passive baseline warnings from the unauthenticated Juice Shop crawl.</td></tr>
+    <tr><td>Semgrep</td><td>9</td><td>Local Lab 10 rules found hardcoded secret and open redirect patterns.</td></tr>
+    <tr><td>Trivy</td><td>0</td><td>Filesystem scan completed, but no vulnerability records were present in the generated JSON.</td></tr>
+    <tr><td>Grype</td><td>0</td><td>Optional report was not available locally.</td></tr>
+  </table>
+
+  <h2>Recurring Categories</h2>
+  <table>
+    <tr><th>CWE</th><th>Count</th><th>Primary Source</th></tr>
+    <tr><td>CWE-798</td><td>5</td><td>Semgrep hardcoded JWT/secret findings</td></tr>
+    <tr><td>CWE-601</td><td>4</td><td>Semgrep open redirect findings</td></tr>
+    <tr><td>CWE-693</td><td>3</td><td>ZAP security header findings</td></tr>
+    <tr><td>CWE-200</td><td>3</td><td>Nuclei/ZAP information disclosure findings</td></tr>
+  </table>
+
+  <h2>SLA Outlook</h2>
+  <p>No findings are due within the next 14 days. High-severity Semgrep findings have a 2026-05-27 SLA expiration date; medium findings are due on 2026-07-26; low findings are due on 2026-08-25.</p>
+
+  <h2>Artifacts</h2>
+  <ul>
+    <li>CSV findings export: findings.csv</li>
+    <li>Raw API export: findings-api.json</li>
+    <li>Metrics snapshot: metrics-snapshot.md</li>
+  </ul>
+</body>
+</html>
+

labs/lab10/report/engagement-api.json

@@ -0,0 +1 @@
+{"id":1,"tags":[],"created":"2026-04-27T15:58:26.927187Z","updated":"2026-04-27T16:00:17.202444Z","name":"Labs Security Testing","description":null,"version":null,"first_contacted":null,"target_start":"2026-04-27","target_end":"2027-04-27","reason":null,"active":true,"tracker":null,"test_strategy":null,"threat_model":true,"api_test":true,"pen_test":true,"check_list":true,"status":"In Progress","progress":"threat_model","tmodel_path":"none","done_testing":false,"engagement_type":"CI/CD","build_id":null,"commit_hash":null,"branch_tag":null,"source_code_management_uri":null,"deduplication_on_engagement":false,"lead":1,"requester":null,"preset":null,"report_type":null,"product":1,"build_server":null,"source_code_management_server":null,"orchestration_engine":null,"notes":[],"files":[],"risk_acceptance":[]}

labs/lab10/report/findings.csv

@@ -0,0 +1,41 @@
+"id","title","severity","active","verified","is_mitigated","cwe","test_id","date","sla_start_date"
+1,"Public Swagger API - Detect","Info",true,false,false,200,4,"2026-04-27",
+2,"Dameng Database - Detect","Info",true,false,false,0,4,"2026-04-27",
+3,"SNMPv3 Fingerprint - Detect","Info",true,false,false,0,4,"2026-04-27",
+4,"X-Recruiting Header","Info",true,false,false,0,4,"2026-04-27",
+5,"FingerprintHub Technology Fingerprint","Info",true,false,false,200,4,"2026-04-27",
+6,"Add DOM EventListener - Detection","Info",true,false,false,0,4,"2026-04-27",
+7,"Deprecated Feature-Policy Header - Detection","Info",true,false,false,0,4,"2026-04-27",
+8,"OWASP Juice Shop","Info",true,false,false,0,4,"2026-04-27",
+9,"HTTP Missing Security Headers","Info",true,false,false,0,4,"2026-04-27",
+10,"HTTP Missing Security Headers","Info",true,false,false,0,4,"2026-04-27",
+11,"HTTP Missing Security Headers","Info",true,false,false,0,4,"2026-04-27",
+12,"HTTP Missing Security Headers","Info",true,false,false,0,4,"2026-04-27",
+13,"HTTP Missing Security Headers","Info",true,false,false,0,4,"2026-04-27",
+14,"HTTP Missing Security Headers","Info",true,false,false,0,4,"2026-04-27",
+15,"HTTP Missing Security Headers","Info",true,false,false,0,4,"2026-04-27",
+16,"HTTP Missing Security Headers","Info",true,false,false,0,4,"2026-04-27",
+17,"HTTP Missing Security Headers","Info",true,false,false,0,4,"2026-04-27",
+18,"HTTP Missing Security Headers","Info",true,false,false,0,4,"2026-04-27",
+19,"robots.txt File","Info",true,false,false,0,4,"2026-04-27",
+20,"robots.txt Endpoint Prober","Info",true,false,false,0,4,"2026-04-27",
+21,"Prometheus Metrics - Detect","Medium",true,false,false,200,4,"2026-04-27",
+22,"Content Security Policy (CSP) Header Not Set","Medium",true,false,false,693,5,"2026-04-27",
+23,"Cross-Domain Misconfiguration","Medium",true,false,false,264,5,"2026-04-27",
+24,"Cross-Origin-Embedder-Policy Header Missing or Invalid","Low",true,false,false,693,5,"2026-04-27",
+25,"Cross-Origin-Opener-Policy Header Missing or Invalid","Low",true,false,false,693,5,"2026-04-27",
+26,"Dangerous JS Functions","Low",true,false,false,749,5,"2026-04-27",
+27,"Deprecated Feature Policy Header Set","Low",true,false,false,16,5,"2026-04-27",
+28,"Timestamp Disclosure - Unix","Low",true,false,false,497,5,"2026-04-27",
+29,"Modern Web Application","Info",true,false,false,0,5,"2026-04-27",
+30,"Storable and Cacheable Content","Info",true,false,false,524,5,"2026-04-27",
+31,"Storable but Non-Cacheable Content","Info",true,false,false,524,5,"2026-04-27",
+32,"rules.lab10-hardcoded-jwt-secret","High",true,false,false,798,6,"2026-04-27",
+33,"rules.lab10-hardcoded-jwt-secret","High",true,false,false,798,6,"2026-04-27",
+34,"rules.lab10-hardcoded-jwt-secret","High",true,false,false,798,6,"2026-04-27",
+35,"rules.lab10-hardcoded-jwt-secret","High",true,false,false,798,6,"2026-04-27",
+36,"rules.lab10-hardcoded-jwt-secret","High",true,false,false,798,6,"2026-04-27",
+37,"rules.lab10-express-open-redirect","Medium",true,false,false,601,6,"2026-04-27",
+38,"rules.lab10-express-open-redirect","Medium",true,false,false,601,6,"2026-04-27",
+39,"rules.lab10-express-open-redirect","Medium",true,false,false,601,6,"2026-04-27",
+40,"rules.lab10-express-open-redirect","Medium",true,false,false,601,6,"2026-04-27",

labs/lab10/report/metrics-snapshot.md

@@ -0,0 +1,37 @@
+# Metrics Snapshot - Lab 10
+
+- Date captured: 2026-04-27
+- DefectDojo URL: http://localhost:8081
+- Product Type: Engineering
+- Product: Juice Shop
+- Engagement: Labs Security Testing
+- Active findings:
+  - Critical: 0
+  - High: 5
+  - Medium: 7
+  - Low: 5
+  - Informational: 23
+- Open vs. closed by severity:
+  - Critical: 0 open, 0 closed
+  - High: 5 open, 0 closed
+  - Medium: 7 open, 0 closed
+  - Low: 5 open, 0 closed
+  - Informational: 23 open, 0 closed
+- Verified vs. Mitigated notes: 40 findings are active, 0 are verified, and 0 are mitigated. This is a first-import baseline before triage and remediation workflow starts.
+- Tool import counts:
+  - Nuclei: 21 active findings
+  - ZAP: 10 active findings
+  - Semgrep: 9 active findings
+  - Trivy: 0 active vulnerability findings in the local filesystem scan
+  - Grype: not imported; the optional report was not present
+- Recurring categories:
+  - CWE-798: 5 hardcoded JWT/secret findings
+  - CWE-601: 4 open redirect findings
+  - CWE-693: 3 security header/protection mechanism findings
+  - CWE-200: 3 information exposure findings
+  - Missing security headers without a mapped CWE: 10 informational detections
+- SLA outlook:
+  - Due within 14 days: 0
+  - High-severity Semgrep findings are due on 2026-05-27
+  - Medium findings are due on 2026-07-26
+  - Low findings are due on 2026-08-25