Pentesting magnolia
Preparations
For a basic understanding of the CMS I will be deploying a basic setup of the Magnolia application. For that I will follow this setup of Magnolia using Azure App Service: http://www.royal-technology.net/deploying-magnolia-using-azure-app-service.html
Prerrequisites
Having azure cli:
Checked. Otherwise go to https://learn.microsoft.com/en-us/cli/azure/get-started-with-azure-cli
Have maven installed.
First I create my virtual environment in a specific folder for this project. Then, you enter the folder.
Now we create a maven project: https://maven.apache.org/guides/getting-started/maven-in-five-minutes.html
mvn archetype:generate -DgroupId=com.mycompany.app -DartifactId=my-app -DarchetypeArtifactId=maven-archetype-quickstart -DarchetypeVersion=1.4 -DinteractiveMode=false
Under this directory you will notice the following standard project structure.
my-app
|-- pom.xml
`-- src
|-- main
| `-- java
| `-- com
| `-- mycompany
| `-- app
| `-- App.java
`-- test
`-- java
`-- com
`-- mycompany
`-- app
`-- AppTest.java
The src/main/java
directory contains the project source code, the src/test/java
directory contains the test source, and the pom.xml
file is the project's Project Object Model, or POM.
Now, we login into Azure
This will take you to a MFA signing-in process.
Having Maven Plugin for Azure App Service. This takes me to install these plugins provided by Microsoft: https://github.com/microsoft/azure-maven-plugins/tree/develop/azure-webapp-maven-plugin
After that, clon the repo out of your project folder
Then I entered the folder:
Once you are set, go to the folder of your maven project and run:
You will be asked the following:
[INFO] --- azure-webapp-maven-plugin:2.9.0:config (default-cli) @ my-lalaapp ---
Create new run configuration (Y/N) [Y]: y
Define value for OS [Linux]:
1: Windows
* 2: Linux
3: Docker
Enter your choice: 2
Define value for javaVersion [Java 17]:
1: Java 8
2: Java 11
* 3: Java 17
Enter your choice: 3
Define value for pricingTier [P1v2]:
1: B1
2: B2
3: B3
4: D1
5: EP1
6: EP2
7: EP3
8: F1
* 9: P1v2
10: P1v3
11: P2v2
12: P2v3
13: P3v2
14: P3v3
15: S1
16: S2
17: S3
18: Y1
Enter your choice: 9
Please confirm webapp properties
AppName : my-lalaapp-{id}
ResourceGroup : my-lalaapp-{id}-rg
Region : centralus
PricingTier : P1v2
OS : Linux
Java Version: Java 17
Web server stack: Java SE
Deploy to slot : false
Confirm (Y/N) [Y]:
[INFO] Saving configuration to pom.
To deploy the app:
Some troubleshooting will make you change things such as source and target of the application.
Response, a lot of verbose code and:
[INFO] --- azure-webapp-maven-plugin:2.9.0:deploy (default-cli) @ my-lalaapp ---
[INFO] Auth type: AZURE_CLI
[INFO] Default subscription: Magnolia({id-suscription})
[INFO] Username: amandaguglieri@gmail.com
[INFO] Subscription: Magnolia({id-suscription})
[INFO] Resource Group(my-lalaapp-{id}-rg) is successfully created.
[INFO] App Service plan (asp-my-lalaapp-{id}) is successfully created
[INFO] Web App(my-lalaapp-{id}) is successfully created
[INFO] Successfully deployed the resources to my-lalaapp-{id}
[INFO] Trying to deploy artifact to my-lalaapp-{id}...
[INFO] Deploying (/home/user/Projects/magnolia/applala/my-lalaapp/target/my-lalaapp-1.0-SNAPSHOT.jar)[jar] ...
[WARNING] Resource deployed, but the deployment is still in process in Azure
[INFO] Successfully deployed the artifact to https://my-lalaapp-{id}}.azurewebsites.net
Installing Visual Studio Code with the following extensions: - Maven for JAVA from Microsoft - Extension Pack for JAVA from Microsoft - Azure App Service Extension by Microsoft: App Service is Azure's fully-managed Platform as a Service (PaaS) that lets you deploy and scale web, mobile, and API apps. Use the Azure App Service extension for VS Code to quickly create, manage, and deploy your websites. Wiki: https://github.com/Microsoft/vscode-azureappservice/wiki - Azure CLI Tools: Scrapbooks for developing and running commands with the Azure CLI.
Create a service principal
Service principals are dedicated Azure accounts for automated tools providing an account without administrator privileges. Using a service principal is more secure than using a regular user account. To enable Maven to deploy the Magnolia project on Azure, create a service principal with password-based authentication:
https://learn.microsoft.com/en-us/entra/msal/java/build/maven
Building with Maven
To be able to build with maven, you need a working installation of Java and Maven.
Once you have successfully installed Java and Maven, clone the microsoft-authentication-library-for-java repository.
From you shell or command line:
$ git clone https://github.com/AzureAD/microsoft-authentication-library-for-java.git
$ cd microsoft-authentication-library-for-java
Then run:
mvn clean
mvn package
You should now have a "target" directory with msal4j-x.x.x.jar
.
To install, run:
mvn install -DskipITs