Invadium runs exploit playbooks against vulnerable target applications in an intuitive, reproducible, and well-defined manner.

Overview

Invadium

Invadium

GitHub Latest Release GitHub Workflow Status GitHub License

Invadium runs exploits against one or more target applications in an intuitive, reproducable, and well-defined manner. It focuses on bridging the gap between developers that write exploits and presenters that use them for demos or educational purposes.

  • Presenters can easily navigate to the web UI of Invadium, chose from a selection of exploits and demo their individual attack steps, all within Invadium.
  • Exploit developers define exploits by specifying a container image for it, environment variables for customization, and the individual commands that will be run at each step.

Of course, Invadium is not only built for exploits, you may solve similar problems, e.g., showcasing new users how a tool of yours can be used, getting a web UI for a set of commands that developers may regularly encounter, etc.

⚠️ This product is not officially supported by Dynatrace.

🎬 Can I see it in action?

Sure! Below you see a presenter navigating to Invadium, selecting the Nmap network scanner and running only the first step of it, a standard scan of the target address.

Invadium Demo

What you are seeing above is defined in a so-called exploit format. Below you see an excerpt of how this can look like for the Nmap exploit. The excerpt only shows one step, find the full file at ./exploits/config/nmap.yaml or start writing your own today!

id: nmap
name: Nmap
desc: |
  Nmap ("Network Mapper") is a free and open source utility
  for network discovery and security auditing.
image: ghcr.io/dynatrace-oss/invadium-nmap
env:
  - name: TARGET
    value: scanme.nmap.org
    desc: Target address to scan
steps:
  nmap_scan:
    name: Standard scan
    desc: Scans all reserved TCP ports on the target
    commands:
      - nmap -T$TIMING $OPTIONS $TARGET
    env:
      - name: TIMING
        value: 5
        desc: Timing template between 0 - 5 (higher is faster)
      - name: OPTIONS
        desc: Additional options for nmap

How does this work under the hood?

Invadium is split into a Next.js frontend and a Python backend, backed by FastAPI.

  1. Starting an exploit starts a new exploit container. If you run in docker mode, this spawns a new Docker container. If you run in kubernetes mode, a new pod is spawned in your namespace.
  2. When you execute individual steps, the backend will run docker exec and kubectl exec, respectively, and stream the logs into the frontend. One exploint container can run one or more steps.
  3. When you end your session, or after a certain timeout, the spawned containers or pods will be deleted again.
graph LR;
  subgraph Docker Host or Kubernetes Cluster
    frontend["Next.js<br/>Frontend"]
    backend["FastAPI<br/>Backend"]
    exploit1["fa:fa-dragon Exploit Container A"]
    exploit2["fa:fa-dragon Exploit Container B"]
    frontend --> backend;
    backend --> exploit1;
    backend --> exploit2;
  end

  exploit1 --> target
  exploit1 --> target
  exploit2 --> target

  subgraph Test System
    target["fa:fa-shopping-cart Target App"]
  end

🐳 Quick Start with Docker

You already have Docker and Compose installed? Awesome! Just run the following command. 1

docker-compose up --no-build -d

You should see the sqlmap and Nmap exploits that are read from ./exploits/config. Find the exploit format specification over here if you want to start writing your own!

1 This will pull images from GHCR.io - if you want to re-build the containers yourself, use --build instead.

Kubernetes Deployment

Invadium is ready for Kubernetes! Find detailed guides over here.

💻 Local Development

Planning to extend or adapt Invadium? This might be valuable for you:

⚙️ Configuration

Backend Directories

The backend expects exploit YAML files in the directory that you specified with the environment variable INVADIUM_CONFIG_PATH. This needs to be set when you start the Python backend. In our container images this is set to /config by default. You can mount your exploit YAML files there.

Backend Environment Variables

Variable Type Description Default
INVADIUM_CONFIG_PATH str Path where the exploit config YAML files are located not set
INVADIUM_API_PORT int Port where the backend API will listen 3001
INVADIUM_API_ROOT str Prefix that is appended to API routes and the docs 1 /api
INVADIUM_CORS_ORIGINS (optional) list[str] Origins that are allowed to call the backend 2 not set
INVADIUM_EXPLOIT_RUNTIME str Runtime to use for exploit containers (docker or kubernetes) docker
INVADIUM_EXPLOIT_TIMEOUT int Amount of seconds after an idle exploit container is deleted 900 (15min)
INVADIUM_DOCKER_NETWORK (optional) str Spawns docker containers in a certain --network 3 not set
INVADIUM_KUBERNETES_NAMESPACE str Kubernetes namespace where new exploit pods are spawned invadium
INVADIUM_KUBERNETES_POD_CPU_REQUESTS str CPU requests per exploit pod in Kubernetes 100m
INVADIUM_KUBERNETES_POD_CPU_LIMITS str CPU limits per exploit pod in Kubernetes 250m
INVADIUM_KUBERNETES_POD_MEMORY_REQUESTS str Memory requests per exploit pod in Kubernetes 250Mi
INVADIUM_KUBERNETES_POD_MEMORY_LIMITS str Memory limits per exploit pod in Kubernetes 500Mi

1 For example, when you set this to /api you can then fetch from localhost:3001/api/exploits. Also, the documentation will be available at this location, e.g. browse localhost:3001/api to see the Swagger docs. In our container images, this is set to /api by default to allow for prefix-routing. Locally, there is no prefix defined.

2 Put in the URL of the frontend if it has a different origin than the backend. For a local setup, you best set this to ["http://localhost:3000", "http://127.0.0.1:3000"].

3 For example, this can be set to host to spawn exploit containers in the same network as the Docker host. In some local setups, this can make it easier to reach target apps from the exploit containers.

4 Check the official docs to learn more about requests and limits.

Frontend Environment Variables

Variable Type Description Default
NEXT_BACKEND_API_URL str Absolute or relative URL to the backend API 1 not set

1 This URL must be reachable from the browser window of the user. If you supply a relative URL, the window.location.origin will be prepended.

Comments
  • Bump json5 and eslint-config-next in /frontend

    Bump json5 and eslint-config-next in /frontend

    Bumps json5 to 2.2.3 and updates ancestor dependency eslint-config-next. These dependencies need to be updated together.

    Updates json5 from 2.2.1 to 2.2.3

    Release notes

    Sourced from json5's releases.

    v2.2.3

    v2.2.2

    • Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).
    Changelog

    Sourced from json5's changelog.

    v2.2.3 [code, diff]

    v2.2.2 [code, diff]

    • Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).
    Commits
    • c3a7524 2.2.3
    • 94fd06d docs: update CHANGELOG for v2.2.3
    • 3b8cebf docs(security): use GitHub security advisories
    • f0fd9e1 docs: publish a security policy
    • 6a91a05 docs(template): bug -> bug report
    • 14f8cb1 2.2.2
    • 10cc7ca docs: update CHANGELOG for v2.2.2
    • 7774c10 fix: add proto to objects and arrays
    • edde30a Readme: slight tweak to intro
    • 97286f8 Improve example in readme
    • Additional commits viewable in compare view

    Updates eslint-config-next from 12.2.0 to 13.1.1

    Release notes

    Sourced from eslint-config-next's releases.

    v13.1.1

    Core Changes

    • Exclude srcset from svg image: #44308
    • Fix CSS resource path not matched in __entry_css_files__: #44310
    • Fix next/image 404 when basePath and trailingSlash defined: #44312

    Documentation Changes

    • Remove experimental for modularizeImports from docs and example: #44311

    Example Changes

    • Updated dependencies for with-tailwindcss example: #44289

    Misc Changes

    • Use turbo for packing files in test setup: #44074

    Credits

    Huge thanks to @​JanKaifer, @​Nutlope, @​styfle, and @​chibicode for helping!

    v13.1.1-canary.1

    Core Changes

    • Fix next/image 404 when basePath and trailingSlash defined: #44312

    Documentation Changes

    • Remove experimental for modularizeImports from docs and example: #44311

    Credits

    Huge thanks to @​chibicode and @​styfle for helping!

    v13.1.1-canary.0

    Core Changes

    • Exclude srcset from svg image: #44308
    • Fix CSS resource path not matched in __entry_css_files__: #44310

    Example Changes

    • Updated dependencies for with-tailwindcss example: #44289

    Misc Changes

    • Use turbo for packing files in test setup: #44074

    ... (truncated)

    Commits

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • Invadium UI is blank

    Invadium UI is blank

    image

    To Reproduce

    # Ubuntu box
    # update docker compose otherwise it moans about version
    sudo apt update  < "/dev/null"
    sudo apt install -y ca-certificates curl gnupg lsb-release  < "/dev/null"
    sudo mkdir -p /etc/apt/keyrings
    curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
    echo \
      "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
      $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
    sudo apt update  < "/dev/null"
    sudo apt install -y docker-compose-plugin  < "/dev/null"
    
    # Clone Repo
    git clone https://github.com/dynatrace-oss/invadium
    
    # Start
    cd invadium
    docker compose up --no-build -d
    

    Env details

    $ whoami
    root
    $ lsb_release -a
    No LSB modules are available.
    Distributor ID: Ubuntu
    Description:    Ubuntu 20.04.3 LTS
    Release:        20.04
    Codename:       focal
    
    bug 
    opened by agardnerIT 5
  • [RT-3145] The URL button is not added nor removed when the value changes from a text to an URL

    [RT-3145] The URL button is not added nor removed when the value changes from a text to an URL

    When an env variable has an URL as its value, the "open URL" button is correctly shown. But when the value is updated to a non-URL in the UI, the button is still there. The same happens the other way around.

    bug 
    opened by blu3r4y 0
  • [RT-3144] Let the backend clean-up old containers even when it has been restarted

    [RT-3144] Let the backend clean-up old containers even when it has been restarted

    The backend has a job that tries to clean-up old containers, but, when it has been restarted, does it keep track of them and will it clean them up again? Ensure that this happens.

    quality needs refinement 
    opened by blu3r4y 0
  • [RT-3101] Write tests for the backend that rely on a dummy container

    [RT-3101] Write tests for the backend that rely on a dummy container

    Currently, active exploits can hardly be tested. We should think about adding a dummy container with which we can do a full end-to-end test of the backend components.

    quality needs refinement 
    opened by blu3r4y 0
Releases(v1.0.0)
  • v1.0.0(Aug 31, 2022)

    This is version 1.0.0 of Invadium, a framework that runs exploit playbooks against vulnerable target applications in an intuitive, reproducible, and well-defined manner.

    This first release is only possible because of the contributions from:

    • Florian Keintzel @flo-kei
    • Jakob Rathberger @JakobRathberger
    • Markus Remplbauer @markusremplbauer

    Follow to README to learn how to deploy and use Invadium. This release can be pulled via:

    docker pull ghcr.io/dynatrace-oss/invadium-backend:1.0.0
    docker pull ghcr.io/dynatrace-oss/invadium-frontend:1.0.0
    
    Source code(tar.gz)
    Source code(zip)
Owner
Dynatrace Open Source
This organization contains Open Source projects maintained by Dynatrace. If not stated differently, these projects are not officially supported.
Dynatrace Open Source
A prototype on how web3 technology can enable us to build an open, immutable, reproducible, and permanently accessible scientific record.

Web3 Research A prototype on how web3 technology can enable us to build an open, immutable, reproducible, and permanently accessible scientific record

manveer 0 Nov 27, 2022
This is a tic-tac-toe game but differs from most others as it carries the option of playing against an AI (COM) or against a friend.

TIC-TAC-TOE This is a simple tic-tac-toe game with the exception of playing against an algorithm or against a friend. At the very start, you have to s

Paul Ibeabuchi C. 4 Jul 2, 2022
Framework for interacting with instagrams private api in a usable manner (forked from andre's work and improved and fixed)

node-ig-framework Framework for interacting with instagrams private api in a usable manner (forked from andre's work and improved and fixed) Installat

nine ecksen 3 Dec 31, 2022
A public board for all the Computer Society and Students to display their profile. An online year-book for you to display your profile in the most creative manner

Student's Yearbook by IEEE Computer Society Student's yearbook is an open-source project which intends to dispaly the students who will be graduating

IEEE Computer Society 11 Dec 18, 2022
An obsidian plugin allowing you to register and view different file extensions in a modular manner.

Obsidian Custom File Extensions Plugin This is a plugin for Obsidian to allow associaton of file type extensions with different in-app views via setti

null 5 Dec 6, 2022
Map over an object in a preorder or postoder depth-first manner

obj-walker Walk objects like this guy. Map over an object in a preorder or postoder depth-first manner. Also, provides functions for serializing and d

David Sargeant 3 Jun 2, 2022
WAMpage - A WebOS root LPE exploit chain

WAMpage WAMpage - A WebOS root LPE exploit chain This exploit is mainly of interest to other researchers - if you just want to root your TV, you proba

David Buchanan 45 Dec 2, 2022
🦠🔬 Forta agent that detect deployment of smart contracts containing an exploit function

Attack Simulation Bot Description The agent detects deployment of smart contracts containing an exploit function. Using a simulation-based approach, t

Artem Kovalchuk 29 Dec 26, 2022
Bookmarklet exploit that can force-disable extensions installed on Chrome. Also has a very fancy GUI to manage all extensions!

ext remover Bookmarklet exploit that can force-disable any extension installed on Google Chrome Instructions Here are the instructions to using this e

Echo 124 Jan 6, 2023
Exploit chrome's profile sync for free cloud storage

BookmarkFS - the dumbest project i've ever made Exploits the google chrome bookmark sync service to store files for free Installation and usage Go to

CoolElectronics 319 Dec 30, 2022
An experimental webkit-based kernel exploit (Arb. R/W) for the PS5 on 4.03 & 4.50FW

PS5 4.xx Kernel Exploit Summary This repo contains an experimental WebKit ROP implementation of a PS5 kernel exploit based on TheFlow's IPV6 Use-After

Kameleon 5 Nov 17, 2022
Kustomizegoat - Vulnerable Kustomize Kubernetes templates for training and education

KustomizeGoat - Vulnerable by design Kustomize deployment Demonstrating secure a

Bridgecrew 38 Nov 1, 2022
Node.js Express + MySQL vulnerable boilerplate project

Node.js Express + MySQL vulnerable boilerplate project

null 13 Sep 16, 2022
Scans your computer for node modules that are potentially vulnerable to supply chain attacks

Scans your computer for node modules that are potentially vulnerable to supply chain attacks. You still need to review the code of modules that are not vulnerable, but this helps.

Brandon Nozaki Miller 4 Apr 11, 2022
Intentionally Vulnerable Nodejs Application & APIs

ivna Intentionally Vulnerable Nodejs Application & APIs Vulnerable Task Manager Application & APIs build using Nodejs,mongoose. Background While learn

null 23 Nov 12, 2022
AWSGoat : A Damn Vulnerable AWS Infrastructure

AWS GOAT Compromising an organization's cloud infrastructure is like sitting on a gold mine for attackers. And sometimes, a simple misconfiguration or

INE Lab Infrastructure 993 Dec 28, 2022
This tool is studied to help ethical hackers to find vulnerable points in webpage's javascript

JavaScream This tool is studied to help ethical hackers to find vulnerable points in webpage's javascript. HOW TO INSTALL (FIREFOX) 1- clone the proje

Davide Cavallini 8 Aug 11, 2022
This tool is studied to help ethical hackers to find vulnerable points in webpage's javascript

JavaScream This tool is studied to help ethical hackers to find vulnerable points in webpage's javascript. HOW TO INSTALL (FIREFOX) 1- clone the proje

Davide Cavallini 7 Aug 3, 2022
A simple calculator for how many units of insulin to take with a meal depending on current and target blood sugar levels.

Insulin-Calculator One of my first programs, made to try building javascript-read HTML forms. A simple calculator for how many units of insulin to tak

Athena 1 Dec 26, 2021