Step 10: Exploit a Vulnerable Open Source component

Prepare to exploit a vulnerability in Goof.

The Goof repo includes various exploits to demonstrate the risks of open source vulnerabilities. We’ll demonstrate how the Directory Traversal vulnerability in the st package can lead to sensitive information leakage by exploiting the vulnerability in our running application!

First, set the GOOF_HOST environment variable to the Load Balancer URL of the application running on EKS.

GOOF_HOST=$GOOF_LB

Next, navigate to the exploits folder and source the st-exploits.sh file. This sets up a series of aliases to demonstrate the exploit.

cd exploits
source st-exploits.sh

Exploit a vulnerability in Goof.

Run the aliases as demonstrated below. The good stuff is in st4 and st5, which leak the contents of the /etc/passwd file in our container image!

st1
st2
st3
st4
st5

st5-exploit

This is another example of an open source vulnerability in a seemingly harmless working application.

In the next step, we’ll address this vulnerability using Snyk’s upgrade guidance.