Goof repo includes various exploits to demonstrate the risks of open source vulnerabilities. We’ll demonstrate how the Directory Traversal vulnerability in the st package can lead to sensitive information leakage by exploiting the vulnerability in our running application!
First, set the GOOF_HOST environment variable to the Load Balancer URL of the application running on EKS.
Next, navigate to the exploits folder and source the st-exploits.sh file. This sets up a series of aliases to demonstrate the exploit.
cd exploits source st-exploits.sh
Run the aliases as demonstrated below. The good stuff is in
st5, which leak the contents of the
/etc/passwd file in our container image!
st1 st2 st3 st4 st5
This is another example of an open source vulnerability in a seemingly harmless working application.
In the next step, we’ll address this vulnerability using Snyk’s upgrade guidance.