Skip to content
/ FortifyDemoApp Public

Insecure Web application for use in Fortify demonstrations

License

GPL-3.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

fortify-presales/FortifyDemoApp

BranchesTags

Repository files navigation

Fortify on Demand Debricked

Fortify Demo App

This is a simple Python Flask web application that can be used for the demonstration of application security testing tools - such as those provided by Fortify by OpenText. It is a cut down "search" results/details page from a larger sample application IWA-Java and is kept deliberately small for demos.

Run Application (locally)

You can the run the application locally using the following:

Windows:

python -m venv .venv
.venv\Scripts\Activate.ps1
pip install -r requirements.txt
run.bat

Linux/UNIX:

python3 -m venv .venv           
. .venv/bin/activate
pip install -r requirements.txt
ruh.sh

The application should then be available at the URL http://localhost:5000. If it fails to start, make sure you have no other applications running on port 5000. There are only a few features that are functional in this version of the app:

  • you can navigate to the "Shop"
  • you can type in some keywords in the Shop search box, e.g. "alphadex" to filter results
  • you can click on any search result to navigate to a details page
  • you can download a datasheet PDF from a details page
  • you can subscribe to the newsletter by entering an email address in the input field of the footer
  • you can login/logout (user credentials are: [email protected]/password or [email protected]/password)

These have been "enabled" because they all have potential security issues that can be found by Fortify.

Scan Application (with Fortify)

To carry out a Fortify Static Code Analyzer local scan, run the following:

sourceanalyzer -b fortifydemoapp -clean
sourceanalyzer -b fortifydemoapp -python-path ".venv/Lib/site-packages/" -exclude ".venv" "app"
sourceanalyzer -b fortifydemoapp -scan

To carry out a Fortify ScanCentral SAST scan, run the following:

fcli ssc session login
scancentral package -o package.zip -bt none --python-virtual-env .venv -oss
fcli ssc sast-scan start --release "FortifyDemoApp:main" -f package.zip --store curScan
fcli ssc sast-scan wait-for ::curScan::
fcli ssc action run appversion-summary --av "FortifyDemoApp:main" -fs "Security Auditor View" -f summary.md

To carry out a Fortify on Demand scan, run the following:

fcli fod session login
scancentral package -o package.zip -bt none --python-virtual-env .venv -oss
fcli fod sast-scan start --release "FortifyDemoApp:main" -f package.zip --store curScan
fcli fod sast-scan wait-for ::curScan::
fcli fod action run release-summary --rel "FortifyDemoApp:main" -f summary.md

Kevin A. Lee (kadraman) - [email protected]

About

Insecure Web application for use in Fortify demonstrations

Topics

sample appsec fortify fortify-on-demand

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Languages