Skip to content

Pentesting magnolia

Preparations

For a basic understanding of the CMS I will be deploying a basic setup of the Magnolia application. For that I will follow this setup of Magnolia using Azure App Service: http://www.royal-technology.net/deploying-magnolia-using-azure-app-service.html

Prerrequisites

Having azure cli:

1
az version

Checked. Otherwise go to https://learn.microsoft.com/en-us/cli/azure/get-started-with-azure-cli

Have maven installed. 

1
mvn -v

First I create my virtual environment in a specific folder for this project. Then, you enter the folder.

Now we create a maven project: https://maven.apache.org/guides/getting-started/maven-in-five-minutes.html

1
mvn archetype:generate -DgroupId=com.mycompany.app -DartifactId=my-app -DarchetypeArtifactId=maven-archetype-quickstart -DarchetypeVersion=1.4 -DinteractiveMode=false

Under this directory you will notice the following standard project structure.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
my-app
|-- pom.xml
`-- src
    |-- main
    |   `-- java
    |       `-- com
    |           `-- mycompany
    |               `-- app
    |                   `-- App.java
    `-- test
        `-- java
            `-- com
                `-- mycompany
                    `-- app
                        `-- AppTest.java

The src/main/java directory contains the project source code, the src/test/java directory contains the test source, and the pom.xml file is the project's Project Object Model, or POM.

Now, we login into Azure

1
az login --tenant [tenant-id] --use-device-code

This will take you to a MFA signing-in process.

Having Maven Plugin for Azure App Service. This takes me to install these plugins provided by Microsoft: https://github.com/microsoft/azure-maven-plugins/tree/develop/azure-webapp-maven-plugin

After that, clon the repo out of your project folder

1
git clone https://github.com/microsoft/azure-maven-plugins

Then I entered the folder:

1
cd azure-maven-plugins

Once you are set, go to the folder of your maven project and run:

1
mvn com.microsoft.azure:azure-webapp-maven-plugin:2.9.0:config

You will be asked the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
[INFO] --- azure-webapp-maven-plugin:2.9.0:config (default-cli) @ my-lalaapp ---
Create new run configuration (Y/N) [Y]: y
Define value for OS [Linux]:
  1: Windows
* 2: Linux
  3: Docker
Enter your choice: 2
Define value for javaVersion [Java 17]:
  1: Java 8
  2: Java 11
* 3: Java 17
Enter your choice: 3
Define value for pricingTier [P1v2]:
   1: B1
   2: B2
   3: B3
   4: D1
   5: EP1
   6: EP2
   7: EP3
   8: F1
*  9: P1v2
  10: P1v3
  11: P2v2
  12: P2v3
  13: P3v2
  14: P3v3
  15: S1
  16: S2
  17: S3
  18: Y1
Enter your choice: 9
Please confirm webapp properties
AppName : my-lalaapp-{id}
ResourceGroup : my-lalaapp-{id}-rg
Region : centralus
PricingTier : P1v2
OS : Linux
Java Version: Java 17
Web server stack: Java SE
Deploy to slot : false
Confirm (Y/N) [Y]: 
[INFO] Saving configuration to pom.

To deploy the app:

1
mvn package azure-webapp:deploy

Some troubleshooting will make you change things such as source and target of the application.

Response, a lot of verbose code and:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
[INFO] --- azure-webapp-maven-plugin:2.9.0:deploy (default-cli) @ my-lalaapp ---
[INFO] Auth type: AZURE_CLI
[INFO] Default subscription: Magnolia({id-suscription})
[INFO] Username: amandaguglieri@gmail.com
[INFO] Subscription: Magnolia({id-suscription})
[INFO] Resource Group(my-lalaapp-{id}-rg) is successfully created.
[INFO] App Service plan (asp-my-lalaapp-{id}) is successfully created
[INFO] Web App(my-lalaapp-{id}) is successfully created
[INFO] Successfully deployed the resources to my-lalaapp-{id}
[INFO] Trying to deploy artifact to my-lalaapp-{id}...
[INFO] Deploying (/home/user/Projects/magnolia/applala/my-lalaapp/target/my-lalaapp-1.0-SNAPSHOT.jar)[jar]  ...
[WARNING] Resource deployed, but the deployment is still in process in Azure
[INFO] Successfully deployed the artifact to https://my-lalaapp-{id}}.azurewebsites.net

Installing Visual Studio Code with the following extensions: - Maven for JAVA from Microsoft - Extension Pack for JAVA from Microsoft - Azure App Service Extension by Microsoft: App Service is Azure's fully-managed Platform as a Service (PaaS) that lets you deploy and scale web, mobile, and API apps. Use the Azure App Service extension for VS Code to quickly create, manage, and deploy your websites. Wiki: https://github.com/Microsoft/vscode-azureappservice/wiki - Azure CLI Tools: Scrapbooks for developing and running commands with the Azure CLI.

Create a service principal

Service principals are dedicated Azure accounts for automated tools providing an account without administrator privileges. Using a service principal is more secure than using a regular user account. To enable Maven to deploy the Magnolia project on Azure, create a service principal with password-based authentication:

1
az ad sp create-for-rbac -n mylalaapp

https://learn.microsoft.com/en-us/entra/msal/java/build/maven

Building with Maven

To be able to build with maven, you need a working installation of Java and Maven.

Once you have successfully installed Java and Maven, clone the microsoft-authentication-library-for-java repository.

From you shell or command line:

  • $ git clone https://github.com/AzureAD/microsoft-authentication-library-for-java.git
  • $ cd microsoft-authentication-library-for-java

Then run:

  • mvn clean
  • mvn package

You should now have a "target" directory with msal4j-x.x.x.jar.

To install, run:

  • mvn install -DskipITs
Last update: 2024-10-06
Created: August 2, 2024 17:39:25