Unguard (🇦🇹 [ˈʊnˌɡuːat] like disquieting, 🇫🇷 [ãˈɡard] like the fencing command) is an insecure cloud-native microservices demo application. It consists of eight app services, a load generator, and two databases. Unguard encompasses vulnerabilities like server-side request forgery (SSRF), Command/SQL injection, JWT key confusion, remote code execution and many more.
The application is a web-based Twitter clone where users can register/login, post text, URLs and images and follow users. Unguard also features fake ads, a possibility to edit your biography and manage your membership.
Note This product is not officially supported by Dynatrace
| Timeline | User profile |
|---|---|
 |
 |
Unguard is composed of eight microservices written in different languages that talk to each other over REST.
| Service | Language | Service Account | Description |
|---|---|---|---|
| envoy-proxy | default | Routes to the frontend or the ad-service and also provides a vulnerable health endpoint. | |
| frontend | Next.js | default | Provides a modern frontend to allow the user to interact with the application. Includes an API that talks with the other microservices. |
| ad-service | .NET 5 | default | Provide CRUD operation for images and serves a HTML page which displays an image like an ad. |
| microblog-service | Java Spring | default | Serves a REST API for the frontend and saves data into redis (explicitly calls vulnerable functions of the jackson-databind library 2.9.9). |
| proxy-service | Java Spring | unguard-proxy | Serves REST API for proxying requests from frontend (vulnerable to SSRF; no sanitization on the entered URL). |
| profile-service | Java Spring | default | Serves REST API for updating biography information in a H2 database; vulnerable to SQL injection attacks |
| membership-service | .NET 7 | default | Serves REST API for updating user memberships in a MariaDB; vulnerable to SQL injection attacks |
| like-service | PHP | default | Serves REST API for adding likes to posts using MariaDB; vulnerable to SQL injection attacks |
| user-auth-service | Node.js Express | default | Serves REST API for authenticating users with JWT tokens (vulnerable to JWT key confusion and SQL injection attacks). |
| status-service | Go | unguard-status | Serves REST API for Kubernetes deployments health, as well as a user and user role list (vulnerable to SQL injection) |
| payment-service | Python Flask | default | Serves REST API for adding and retrieving credit card payment information associated with a user. |
| jaeger | default | The Jaeger stack for distributed tracing. | |
| mariadb | unguard-mariadb | Relational database that holds user and token data. | |
| redis | default | Key-value store that holds all user data (except authentication-related stuff). | |
| user-simulator | Node.js (Puppeteer) | default | Creates synthetic user traffic by simulating an Unguard user using a real browser. Acts as a load generator. |
| malicious-load-generator | default | Malicious load generator that makes CMD, JNDI, and SQL injections. |
To quickly get started with Unguard, install the Unguard Helm chart using the Helm package manager
Warning
Unguard is insecure by design and a careless installation will leave you exposed to severe security vulnerabilities. Make sure to restrict access and/or run it in a sandboxed environment.
-
Add the bitnami repository for the MariaDB dependency
helm repo add bitnami https://charts.bitnami.com/bitnami
-
Install MariaDB
helm install unguard-mariadb bitnami/mariadb --version 11.5.7 --set primary.persistence.enabled=false --wait --namespace unguard --create-namespace
-
Install Unguard
helm install unguard oci://ghcr.io/dynatrace-oss/unguard/chart/unguard --wait --namespace unguard --create-namespace
To customize your Unguard chart installation, see the chart README
See the Development Guide on how to set up and develop Unguard on a local Kubernetes cluster.
See the Unguard Chart README on how to install Unguard in your Kubernetes cluster using the Helm package manager.
- Kubernetes/AWS: The app is designed to run on a local Kubernetes cluster, as well as on the cloud with AWS.
- Jaeger Tracing: Most services are instrumented using trace interceptors.
- Skaffold: Unguard is deployed to Kubernetes with a single command using Skaffold.
- Synthetic Load Generation: The application comes with a deployment that creates traffic using the Element browser-based load generation library.
- Exploits: Different automated attack scenarios like JWT key confusion attacks, remote code execution, and Kubernetes container security exploits.
- Container Security Toolkit: Hands-on learning platform for Kubernetes container security, featuring assessment tools, exploitation demonstrations, and automated remediation capabilities.
- Monitoring: Dynatrace monitoring by utilizing MONACO.
- Tracing and Jaeger: See these instructions
- Malicious Load Generator: See these instructions
Warning
The container security toolkit can introduce real vulnerabilities into your cluster. Only use in dedicated testing environments with proper network isolation. Never run on production clusters.
Unguard includes a comprehensive container security toolkit that helps you learn about Kubernetes security misconfigurations and their remediation:
- Assessment Tools: Analyze the security posture of your deployments
- Vulnerability Simulation: Safely introduce common container security issues like privileged containers, dangerous capabilities, and host namespace sharing
- Exploitation Demonstrations: See how attackers could exploit these vulnerabilities in real scenarios
- Automated Remediation: Apply security best practices with a single command
- Interactive Learning: Step-by-step workflows to understand each security concept
- Kubernetes cluster (1.24+ recommended)
- kubectl configured with cluster access
- Python 3.9+ installed
- Helm 3.x for Unguard deployment
First, ensure Unguard is deployed in your cluster following the Quickstart guide above, then:
# Navigate to the toolkit directory
cd exploit-toolkit
# Install Python dependencies
pip install -e .
# Verify installation and check cluster connectivity
ug-exploit-k8s status
# Assess current security status
ug-exploit-k8s assess
# Make a service vulnerable for testing
ug-exploit-k8s vuln-service unguard-payment-service privileged
# Demonstrate the exploit
ug-exploit-k8s exploit privileged-containers
# Apply security fixes
ug-exploit-k8s secure-service unguard-payment-service
# Verify improvements
ug-exploit-k8s verifyFor detailed documentation, see the Container Security Toolkit README.
Hummingbird icon by Danil Polshin from the Noun Project.