Feature/lab7

.github/pull_request_template.md

@@ -0,0 +1,9 @@
+# Goal 
+Submitting my homework for lab#
+
+# Changes
+- Added submissionXX.md
+
+# Checklist
+- [x] Task 1 done
+- [x] Task 2 done

labs/lab5/sqlmap/localhost/log

@@ -0,0 +1,8 @@
+sqlmap identified the following injection point(s) with a total of 41 HTTP(s) requests:
+---
+Parameter: #1* (URI)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: http://localhost:3000/rest/products/search?q=') AND 6254=6254 AND ('jcto' LIKE 'jcto
+---
+back-end DBMS: SQLite

labs/lab5/sqlmap/localhost/target.txt

@@ -0,0 +1,3 @@
+http://localhost:3000/rest/user/login (POST)  # /sqlmap/sqlmap.py -u http://localhost:3000/rest/user/login --data {\"email\":\"*\",\"password\":\"test\"} --method POST "--headers=Content-Type: application/json" --dbms=sqlite --batch --level=5 --risk=3 --technique=BT --threads=5 --output-dir=/output --dump
+
+{"email":"*","password":"test"}

labs/lab7/analysis/deployment-comparison.txt

@@ -0,0 +1,36 @@
+=== Functionality Test ===
+Default: HTTP 200
+Hardened: HTTP 200
+Production: HTTP 200
+
+=== Resource Usage ===
+NAME               CPU %     MEM USAGE / LIMIT     MEM %
+juice-default      0.15%     101.5MiB / 31.21GiB   0.32%
+juice-hardened     0.15%     92.14MiB / 512MiB     18.00%
+juice-production   0.13%     93.31MiB / 512MiB     18.23%
+
+=== Security Configurations ===
+
+Container: juice-default
+CapDrop: <no value>
+SecurityOpt: <no value>
+Memory: 0
+CPU: 0
+PIDs: <no value>
+Restart: no
+
+Container: juice-hardened
+CapDrop: [ALL]
+SecurityOpt: [no-new-privileges]
+Memory: 536870912
+CPU: 0
+PIDs: <no value>
+Restart: no
+
+Container: juice-production
+CapDrop: [ALL]
+SecurityOpt: [no-new-privileges]
+Memory: 536870912
+CPU: 0
+PIDs: 100
+Restart: on-failure

labs/lab7/hardening/docker-bench-results.txt

@@ -0,0 +1 @@
+Error connecting to docker daemon (does docker ps work?)

labs/lab7/scanning/dockle-results.txt

@@ -0,0 +1,9 @@
+SKIP	- DKL-LI-0001: Avoid empty password
+	* failed to detect etc/shadow,etc/master.passwd
+INFO	- CIS-DI-0005: Enable Content trust for Docker
+	* export DOCKER_CONTENT_TRUST=1 before docker pull/build
+INFO	- CIS-DI-0006: Add HEALTHCHECK instruction to the container image
+	* not found HEALTHCHECK statement
+INFO	- DKL-LI-0003: Only put necessary files
+	* unnecessary file : juice-shop/node_modules/micromatch/lib/.DS_Store 
+	* unnecessary file : juice-shop/node_modules/extglob/lib/.DS_Store 

labs/submission7.md

@@ -0,0 +1,72 @@
+# Task 1
+
+## Top 5 Critical/High Vulnerabilities
+|CVE ID|	Affected package|	Severity|	Impact|
+|-|-|-|-|
+|CVE-2026-44006|	vm2 3.9.17|	Critical, CVSS 10.0|	Code injection may allow severe sandbox compromise and arbitrary code execution|
+|CVE-2026-44005|	vm2 3.9.17|	Critical, CVSS 10.0|	Prototype pollution can corrupt application state and enable follow-on exploitation|
+|CVE-2026-43997|	vm2 3.9.17|	Critical, CVSS 10.0|	Code injection creates a high-risk path to full runtime compromise|
+|CVE-2026-44009|	vm2 3.9.17|	Critical, CVSS 9.8	|Resource exposure may break isolation boundaries and expose sensitive execution context|
+|CVE-2026-44008|	vm2 3.9.17|	Critical, CVSS 9.8	|Resource exposure can undermine containment and significantly increase compromise impact|
+
+## Dockle
+... didn't find any FATAL or WARN: 
+```shell
+Status: Downloaded newer image for goodwithtech/dockle:latest
+SKIP    - DKL-LI-0001: Avoid empty password
+        * failed to detect etc/shadow,etc/master.passwd
+INFO    - CIS-DI-0005: Enable Content trust for Docker
+        * export DOCKER_CONTENT_TRUST=1 before docker pull/build
+INFO    - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
+        * not found HEALTHCHECK statement
+INFO    - DKL-LI-0003: Only put necessary files
+        * unnecessary file : juice-shop/node_modules/micromatch/lib/.DS_Store 
+        * unnecessary file : juice-shop/node_modules/extglob/lib/.DS_Store
+```
+
+## Security Posture Assessment
+- Run as root? seemingly no, instead used some user 65532
+- Upgrade vm2 3.9.17 because it has multiple possibly patched CVEs
+- Update components
+
+# Task 2
+For some reason, provided command didn't work for my installation...
+```shell
+docker: invalid reference format
+```
+
+# Task 3 
+
+## Configuration Comparison Table
+| Profile | Functionality | Capabilities | Security options | Memory | CPU | PIDs | Restart |
+|---|---:|---|---|---:|---:|---:|---|
+| Default | HTTP 200 | Docker default | Docker default | Unlimited | Unlimited | Unlimited | no |
+| Hardened | HTTP 200 | Drop ALL | no-new-privileges | 512 MiB | 1 CPU | Unlimited | no |
+| Production | HTTP 200 | Drop ALL, add NET_BIND_SERVICE | no-new-privileges | 512 MiB | 1 CPU | 100 | on-failure |
+
+## Security Measure Analysis
+
+### `--cap-drop=ALL` and `--cap-add=NET_BIND_SERVICE`
+Linux capabilities are small privilege blocks; dropping them limits what a compromised container can do.
+``NET_BIND_SERVICE`` adds back only permission to bind low ports, so security stays tighter than Docker defaults.
+
+### ``--security-opt=no-new-privileges``
+Prevents processes from gaining extra privileges after startup.
+
+### ``--memory=512m`` and ``--cpus=1.0``
+Limits memory usage to 512M and CPU usage to 1
+
+### ``--pids-limit=100``
+Anti-fork-bomb limit to only 100 subprocesses
+
+### ``--restart=on-failure:3``
+Restart the container on crash, but only up to 3 times
+
+
+## 3. Critical Thinking Questions
+
+- Development: Use the Default profile because it is easiest for debugging and has fewer restrictions.
+- Production: Use the Production profile because it applies least privilege, resource limits, PID limits, and controlled restart behavior.
+- Resource limits: They prevent one container from exhausting host resources and degrading other services.
+- Default vs Production: Production blocks extra Linux capabilities, privilege escalation, excessive memory use, excessive process creation, and unlimited restart loops.
+- Additional hardening: Add a read-only root filesystem, explicit non-root user validation, image signing, dependency patching, and stricter network exposure.