Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
99 changes: 32 additions & 67 deletions submissions/lab1.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@
### Scope & Asset
- Asset: OWASP Juice Shop (local lab instance)
- Image: `bkimminich/juice-shop:v20.0.0`
- Image digest: <sha256:... — get from `docker inspect juice-shop --format '{{.Image}}'`>
- Host OS: <Windows 11 Pro 24H2 IoT>
- Docker: <Docker version 29.4.0, build 9d7ad9f>
- Image digest: sha256:fd58bdc9745416afce8184ee0666278a436574633ea7880365153a63bfd418b0
- Host OS: Windows 11 Pro 24H2 IoT
- Docker: Docker version 29.4.0, build 9d7ad9f

### Deployment Details
- Run command used: `docker run -d --name juice-shop -p 127.0.0.1:6767:3000 bkimminich/juice-shop:v20.0.0`
Expand Down Expand Up @@ -59,7 +59,7 @@ Which of these are MISSING? (cross-reference Lecture 1 OWASP Top 10:2025 — A06
1. **Missing Security Headers (OWASP A05/A06)** — Several security-related HTTP headers are missing, including Content-Security-Policy and Strict-Transport-Security. Missing headers can make the application more vulnerable to attacks such as XSS or protocol downgrade attacks. This is related to OWASP Top 10 A05: Security Misconfiguration.
2. **Public API Exposure (OWASP A01)** — Several API endpoints appear accessible without authentication. Public endpoints increase the application's attack surface and may expose data that should be protected if access controls are not properly implemented. This relates to OWASP A01: Broken Access Control.
3. **Client-Side Data Storage (OWASP A01)** — The application stores data in browser local storage. While the observed values are not sensitive, storing security-relevant information in local storage can increase the impact of cross-site scripting attacks. This is related to OWASP A01: Broken Access Control and general client-side security concerns.
```




Expand All @@ -85,9 +85,9 @@ Required sections (the template must include all four):

Required checklist (the template must include all three items):

- [ ] Title is clear (`feat(labN): <topic>` style)
- [ ] No secrets/large temp files committed
- [ ] Submission file at `submissions/labN.md` exists
- [x] Title is clear (`feat(labN): <topic>` style)
- [x] No secrets/large temp files committed
- [x] Submission file at `submissions/labN.md` exists

> **Hint:** GitHub auto-detects `.github/PULL_REQUEST_TEMPLATE.md` and pre-fills the PR description box. To test, push the branch and open a PR draft — the template should appear before you write a single word.

Expand All @@ -106,32 +106,6 @@ Required checklist (the template must include all three items):

## Task 3 — GitHub Community Engagement (1 pt)

**Objective:** Explore GitHub's social features that support collaboration and discovery.

**Actions Required:**
1. **Star** the course repository
2. **Star** the [simple-container-com/api](https://github.com/simple-container-com/api) project — a promising open-source tool for container management
3. **Follow** your professor and TAs on GitHub:
- Professor: [@Cre-eD](https://github.com/Cre-eD)
- TA: [@Naghme98](https://github.com/Naghme98)
- TA: [@pierrepicaud](https://github.com/pierrepicaud)
4. **Follow** at least 3 classmates from the course


<details>
<summary>💡 GitHub Social Features</summary>

**Why Stars Matter:**
- Stars help you bookmark interesting projects for later reference
- Star count indicates project popularity and community trust
- Starred repos appear in your GitHub profile, showing your interests
- Stars encourage maintainers and help projects gain visibility

**Why Following Matters:**
- See what other developers are working on
- Discover new projects through their activity
- Build professional connections beyond the classroom
- Stay updated on classmates' work for future collaboration

## GitHub Community

Expand All @@ -140,40 +114,14 @@ Starring repositories helps developers bookmark useful projects and shows suppor
Following developers helps me learn from their work, discover new projects, and stay informed about updates in technologies that interest me. It also makes collaboration easier in team environments and helps build a professional network.


</details>


---

## Bonus Task — Smoke-Test Workflow in GitHub Actions (2 pts)

> 🌟 **Genuinely challenging — not just wiring.** This task previews Lecture 4 (CI/CD Security). You'll write a real workflow that runs Juice Shop in CI and verifies it works.

**Objective:** Create `.github/workflows/lab1-smoke.yml` that, on every PR, pulls Juice Shop, runs it as a service, curls the homepage, and fails the build if Juice Shop doesn't respond healthy.

### B.1: Write the workflow

```yaml
# .github/workflows/lab1-smoke.yml
# YOUR TASK: Smoke-test Juice Shop in CI
# Requirements:
# - Triggers on pull_request to main
# - Uses ubuntu-latest runner
# - permissions: { contents: read } at workflow level (Lecture 4, slide 7)
# - Pulls bkimminich/juice-shop:v20.0.0 (pin the tag — recall Lecture 4 SHA-pinning rationale; we accept a tag here since this is your first workflow)
# - Runs it as a service or via `docker run -d`
# - Waits up to 60s for it to be ready (loop with `curl --silent --fail`)
# - Fails the job if the homepage returns non-200 or never starts
#
# Hints:
# - GitHub Actions `services:` block is one elegant way (https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container)
# - Alternative: a single `steps:` job with `docker run -d` + a polling loop
# - The polling loop pattern (Juice Shop v20: use /rest/admin/application-version, not /rest/products):
# for i in $(seq 1 30); do
# curl --silent --fail http://localhost:3000/rest/admin/application-version >/dev/null && exit 0
# sleep 2
# done
# exit 1
```
wrote

### B.2: Verify it runs

Expand All @@ -184,15 +132,32 @@ Following developers helps me learn from their work, discover new projects, and

### B.3: Document in `submissions/lab1.md`

```markdown

## Bonus: CI Smoke Test

- Workflow file: `.github/workflows/lab1-smoke.yml`
- Trigger: `pull_request` on main
- Run URL (must be green): <link to your Actions run>
- Workflow run duration: <e.g. 45s>
- Run URL (must be green): [url](https://github.com/MikeNovikoff/DevSecOps-Intro-Mike/actions/runs/27370603870)
- Workflow run duration: <17s>
- Curl response excerpt:
```
<paste your "HTTP/1.1 200 OK ..." block>
```
```
Run curl --silent --fail --head http://localhost:3000
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Thu, 11 Jun 2026 19:02:13 GMT
ETag: W/"26af-19eb8103f08"
Content-Type: text/html; charset=UTF-8
Content-Length: 9903
Vary: Accept-Encoding
Date: Thu, 11 Jun 2026 19:02:13 GMT
Connection: keep-alive
Keep-Alive: timeout=5


```