docker 启动时生成 OWASP Juice Shop 用户
OWASP Juice Shop user generation on docker startup
我正在尝试在我的机器上安装 Juice Shop 运行 而不会丢失已创建的用户。
目前我正在使用 docker-compose 设置,这使得在本地启动和使用它变得非常容易。
但总是让我烦恼的是,在重述 docker-compose / docker / 或我的 OS 时,所有最近创建的用户都消失了,我必须重新创建它们:(
我在这里错过了什么?
据我所知,必须有一个例程再次创建所有用户并将它们放入用户 table (总是删除我的第 31 个以上用户(前 30 个是随机的,有些是我发现的预定义的)) .
我的想法:
将 juiceshop.sqlite 数据库同步到容器卷之外,以免丢失它....但每次 docker 重新启动商店时它都会被覆盖。
这是我的 docker-compose.yml:
version: '3.7'
services:
juiceShop:
image: bkimminich/juice-shop
ports:
- 80:3000
environment:
- NODE_ENV=myConfig
volumes:
- ./config.yml:/juice-shop/config/myConfig.yml:ro
- juiceShop:/juice-shop:cached
- ./juiceShop.sqlite:/juice-shop/data/juiceshop.sqlite:cached
volumes:
juiceShop:
进一步思考
- 是否有停止生成这些用户的配置?
- 在常规的自定义描述中,我没有找到任何提及该想法的信息 (https://pwning.owasp-juice.shop/part1/customization.html)
- 我可以(除了插入旧用户的自定义脚本之外)以某种方式确保旧用户在下次果汁店重新生成时可用吗?
- 创建这些用户的隐藏逻辑在哪里 -> 也许轻微的覆盖可以阻止它?
我不建议以任何方式保存和恢复 SQLite 数据库,因为您最终可能会处于应用程序无法启动或不再允许您启动的状态解决某些挑战。在尝试解决某些挑战时,数据库记录(尤其是用户和产品)被弄乱是很常见的。果汁店通过完全擦除数据库来防止任何问题持续存在:
Self-healing-feature
OWASP Juice Shop was not exactly designed and built with a high availability and reactive enterprise-scale architecture in mind. It runs perfectly fine and fast when it is attacked via a browser by a human. When under attack by an automated tool - especially aggressive brute force scripts - the server might crash under the load. This could - in theory - leave the database and file system in an unpredictable state that prevents a restart of the application.
That is why - in practice - Juice Shop wipes the entire database and the folder users might have modified during hacking. After performing this self-healing the application is supposed to be restartable, no matter what kind of problem originally caused it to crash. For convenience the self-healing happens during the start-up (i.e. npm start) of the server, so no extra command needs to be issued to trigger it.
(来源https://pwning.owasp-juice.shop/part1/running.html)
用户 也有意没有配置选项,除了他们的电子邮件域和在默认用户之上随机添加的用户数量。更改用户很可能会破坏一打或更多挑战。
我正在尝试在我的机器上安装 Juice Shop 运行 而不会丢失已创建的用户。
目前我正在使用 docker-compose 设置,这使得在本地启动和使用它变得非常容易。
但总是让我烦恼的是,在重述 docker-compose / docker / 或我的 OS 时,所有最近创建的用户都消失了,我必须重新创建它们:(
我在这里错过了什么?
据我所知,必须有一个例程再次创建所有用户并将它们放入用户 table (总是删除我的第 31 个以上用户(前 30 个是随机的,有些是我发现的预定义的)) .
我的想法:
将 juiceshop.sqlite 数据库同步到容器卷之外,以免丢失它....但每次 docker 重新启动商店时它都会被覆盖。
这是我的 docker-compose.yml:
version: '3.7'
services:
juiceShop:
image: bkimminich/juice-shop
ports:
- 80:3000
environment:
- NODE_ENV=myConfig
volumes:
- ./config.yml:/juice-shop/config/myConfig.yml:ro
- juiceShop:/juice-shop:cached
- ./juiceShop.sqlite:/juice-shop/data/juiceshop.sqlite:cached
volumes:
juiceShop:
进一步思考
- 是否有停止生成这些用户的配置?
- 在常规的自定义描述中,我没有找到任何提及该想法的信息 (https://pwning.owasp-juice.shop/part1/customization.html)
- 我可以(除了插入旧用户的自定义脚本之外)以某种方式确保旧用户在下次果汁店重新生成时可用吗?
- 创建这些用户的隐藏逻辑在哪里 -> 也许轻微的覆盖可以阻止它?
我不建议以任何方式保存和恢复 SQLite 数据库,因为您最终可能会处于应用程序无法启动或不再允许您启动的状态解决某些挑战。在尝试解决某些挑战时,数据库记录(尤其是用户和产品)被弄乱是很常见的。果汁店通过完全擦除数据库来防止任何问题持续存在:
Self-healing-feature
OWASP Juice Shop was not exactly designed and built with a high availability and reactive enterprise-scale architecture in mind. It runs perfectly fine and fast when it is attacked via a browser by a human. When under attack by an automated tool - especially aggressive brute force scripts - the server might crash under the load. This could - in theory - leave the database and file system in an unpredictable state that prevents a restart of the application.
That is why - in practice - Juice Shop wipes the entire database and the folder users might have modified during hacking. After performing this self-healing the application is supposed to be restartable, no matter what kind of problem originally caused it to crash. For convenience the self-healing happens during the start-up (i.e. npm start) of the server, so no extra command needs to be issued to trigger it.
(来源https://pwning.owasp-juice.shop/part1/running.html)
用户 也有意没有配置选项,除了他们的电子邮件域和在默认用户之上随机添加的用户数量。更改用户很可能会破坏一打或更多挑战。