Testing application security tools is often challenging, since synthetic applications are often not realistic (e.g. WebGoat), and real world applications are often proprietary and not available to researchers. Security researchers must also spend enormous lengths of time to get an application in a runnable state to even begin testing.
One real-world application that can be used for security testing is dotCMS, an open source content management system written in Java. dotCMS takes security seriously, and does a good job documenting their process, maintaining a list of known security vulnerabilities in prior releases, and documenting security changes in their changelog.
Source code for dotCMS is available on GitHub in case you also want to test static analysis tools.
This Vagrant configuration sets up a running dotCMS instance, including MySQL database and various users with different access levels. By default, dotCMS 3.3.1 will be installed. The subsequent version 3.5 fixes various security vulnerabilities like SQLi (SI-36), XSS (SI-33), and Directory Traversal (SI-34).
To change to a different version, simply modify the version variable in bootstrap.sh.
- Start by downloading and installing Vagrant: https://www.vagrantup.com/downloads.html
- If you don't have VirtualBox installed, you'll also need to download and install it: https://www.virtualbox.org/wiki/Downloads
- Clone this repo
- Open a command prompt and navigate to the directory of the VM you want to start
- Type "Vagrant" to launch it, and wait for the VM to be set up and started
- dotCMS should be accessible at http://localhost:8080/ (from your host)
Once the VM is running, you can type vagrant ssh from the directory containing the Vagrantfile to get shell access into the VM if needed.