HCL-TECH-SOFTWARE/AltoroJ HCL-TECH-SOFTWARE/AltoroJ

  • Stars
    star
    175
  • Rank 218,059 (Top 5 %)
  • Language
    Java
  • License
    Apache License 2.0
  • Created about 8 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
HCL-TECH-SOFTWARE/AltoroJ
github

HCL-TECH-SOFTWARE

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

WARNING: This app contains security vulnerabilities. AltoroJ is a sample banking J2EE web application. It shows what happens when web applications are written with consideration of app functionality but not app security. It's a simple and uncluttered platform for demonstrating and learning more about real-life application security issues.

Description

WARNING: This application contains security vulnerabilities. Run it only in a backed-up and sheltered environment (such as a VM with a recent snapshot and host-only networking) and at your own risk, escpecially if you enable some of the advanced options described below!

AltoroJ is a sample banking J2EE web application. It shows what happens when web applications are written with consideration of app functionality but not app security. It's a simple and uncluttered platform for demonstrating and learning more about real-life application security issues.

AltoroJ uses standard Java & JSP functionality without relying on any additional frameworks. While vast majority of real-life applications do use frameworks, the exact same principles of Application Security apply in both cases. Frameworks can also be hard to understand for someone not familiar with a particular framework and introduce complexities that detract from the overall learning experience. Not to mention, a large number of large and complex "legacy" Java web applications that look very similar to AltoroJ (but are infinitely more complex of course).

AltoroJ uses Apache Derby as its SQL database that is automatically initialized the first time you log into AltoroJ via its web interface. All of the transactions and operations will then be stored in this database from that point on until you delete your repository folder called "altoro" that is located in your OS home folder (e.g. C:\Users[your_username] or /Users/[your_username]) or enable advanced option to re-initialize your database every time your web application server is restarted (see below).

AltoroJ was created in 2008 and has gone through a number of iterations since then. It currently, being used around the world to demonstrate application security vulnerabilities, educate folks on how easy some of these issues are to exploit and how severe the impact may be, and is even a part of academic curricula. Even though AltoroJ is pretty stable, if you do find a bug or create a cool exploit for one of its vulnerabilities - please let us know!!!

Binaries and hosted versions

If you'd like to try AltoroJ but want to skip all of the cool software development stuff, use publicly hosted version, available at http://altoromutual.com:8080/ . You will not be able to enable any of the advanced options and this site may not always be available, but it's the easiest way to get started

Prereqiusites

AltoroJ has been developed using Eclipse and designed to run on Tomcat 7, but since it's a relatively simple J2EE app, it should be pretty easy to port it to a different J2EE IDE or another J2EE web application server. Here are out-of-the-box requirements:

  • Eclipse 4.6 or newer recommended (requires Java 8)
  • Tomcat 7.x
  • Gradle 3.0 to build from command line
  • Gradle's Buildship Eclipse plug-in to automatically download required 3rd party libraries and run AltoroJ inside Eclipse -- Easiest way to install Buildship is from Eclipse Marketplace (inside Eclipse, go to Help -> Eclipse Marketplace)

Read more about importing AltoroJ into Eclipse from GitHub here

AltoroJ credentials

Main usernames and passwords for AltoroJ are as follows:

  • jsmith/demo1234
  • admin/admin

Advanced options

AltoroJ’s original design goals were to create an application that is easy to deploy, very stable and less dangerous (as far as vulnerable web apps go). However, these goals meant that certain attacks couldn’t be a part of it. Because of this, there are advanced user-configurable properties that can enable AltoroJ behaviors which are disabled by default.These enable extra functionality, new cool attacks and demos as well as optional behaviors.

Please see WEB-INF/app.properties file for more information on each property

REST API

AltoroJ has a fairly extensive REST API, which is documented using Swagger. You can find out more about and interact with the provided REST services by clicking on the REST API link in the footer of almost every AltoroJ page.

Troubleshooting

  • Problem: AltoroJ runs, but an error “Failed to create database 'altoro‘” comes up when you try to log in

  • Cause: AltoroJ database does not get created. This is usually caused by folder permission issues on a locked-down system

  • Solution: To make sure this isn’t a fluke, try to log in again using jsmith/demo1234. AltoroJ uses Java’s user.home property as a base directory for its database so this shouldn’t happen. However, if it does. Take a look at your Eclipse Console, or if running directly on Tomcat, open "catalina.out" file from Tomcat’s logs folder in a text editor and look for “user.home=“. This is the folder that AltoroJ is trying to create another folder in and needs write access. You can then: Give the user Tomcat runs under read/write/create access to this folder (recommended) OR modify Tomcat’s startup to include –Duser.home=“<new_path>” in Java arguments to change DB location

  • Problem: AltoroJ does not run on Tomcat due to compilation errors

  • Cause: If you have compilation errors in Eclipse, Java build path is likely to blame

  • Solution: Run AltoroJ's Gradle build in order to download required third party libraries and build AltoroJ

License

All files found in this project are licensed under the Apache License 2.0.

More Repositories

1

domino-container

HCL Domino Docker Container image build scripts
Shell
74
star
2

domino-online-meeting-integration

Integration for HCL Notes with online meeting provider services. Documentation available at https://opensource.hcltechsw.com/domino-online-meeting-integration/
Java
24
star
3

appscan-codesweep-action

Integrate static security testing with HCL AppScan CodeSweep with Github.
18
star
4

connections-automation

Deployment and upgrade automation scripts for HCL Connections 7.0 based on Ansible
Jinja
17
star
5

domino-jnx

Modern Domino Java API based on JNA access to Domino's C API
Java
13
star
6

appscan-source-gradle-plugin

Gradle plugin for integrating with HCL AppScan Source
Groovy
11
star
7

dx-docker-compose

Docker Compose Scripts for HCL DX
Batchfile
11
star
8

appscan-automation-framework

A framework for interacting with HCL AppScan on Cloud and HCL AppScan Enterprise
JavaScript
11
star
9

volt-mx-ls-toolkit

Toolkit to enable better integration between HCL Software products HCL Volt MX and HCL Domino. This is LotusScript toolkit for running HCL Domino agents as REST services, with specific helpers for JSON in-out and a specific payload recommended for HCL Volt MX
11
star
10

domino-keep-docs

Documentation for HCL Domino REST API (Project KEEP)
Batchfile
9
star
11

volt-mx-tutorials

HCL Volt MX Tutorials
JavaScript
9
star
12

ounce-maven-plugin

Maven plugin for integrating with HCL AppScan Source
HTML
9
star
13

domino-cert-manager

Official HCL Domino V12 Certificate Manager DNS TXT API repository
8
star
14

domino-license-analysis-utility-DLAU

Utility to assist HCL Domino Administrators in determining your Authorized User Count
8
star
15

connections-samples

This repository contains customizer samples and community templates for HCL Connections.
CSS
7
star
16

dependency-injection

A sample application showing how dependency injection can be used in DevOps Model RealTime.
JavaScript
6
star
17

appdev-pack-samples

A collection of sample code for interacting with Domino AppDev Pack components.
JavaScript
6
star
18

sample-react-script-application

This HCL DX example app shows how React can be used in Script App portlets. It uses DX modular themes aggregator capability to provide React and ReactDOM.
JavaScript
6
star
19

connections-doc

HCL Connections Product Documentation Help Center
JavaScript
6
star
20

sample-angular-script-application

This sample illustrates building an Angular CLI application and deploying it as a script application. It includes all the configuration and build steps needed to get the application running smoothly in HCL Digital Experience.
TypeScript
6
star
21

volt-mx-docs

Official documentation for HCL Volt MX (https://www.hcltechsw.com/volt-mx). The site is accessible at http://opensource.hcltechsw.com/volt-mx-docs/
HTML
6
star
22

dxsync

WebDAV based file synchronization for HCL Digital Experience Themes
JavaScript
5
star
23

appscan-issue-gateway

A service to help synchronize issues between HCL AppScan and other Issue Management systems
Java
5
star
24

digital-experience

Next-generation documentation site for HCL Digital Experience.
HTML
5
star
25

domino-backup

Configuration files for HCL Domino Backup integration with other backup solutions.
Shell
5
star
26

Domino-rest-api

Documentation for HCL Domino REST API
HTML
5
star
27

appscan-maven-plugin

Maven plugin for integrating with HCL AppScan on Cloud
Java
4
star
28

appscan-sast-action

Integrate static security testing with HCL AppScan on Cloud using GitHub Actions
JavaScript
4
star
29

HCL-TECH-SOFTWARE.github.io

Landing page for searching HCL Software GitHub repositories, viewable at https://opensource.hcltechsw.com/
SCSS
4
star
30

hcl-workload-automation-chart

Helm chart for HCL Workload Automation
Smarty
4
star
31

enchanted-react-components

Enchanted React Components is a collection of ui components that are being used in HCL Software products.
TypeScript
4
star
32

appscan-standard-burp-importer

An extension which allows the user to import a Burp file containing a list of requests into AppScan
C#
3
star
33

appscan-standard-pyscan

PyScan is an extension that lets you control AppScan through Python.
Python
3
star
34

domino-keep-tutorials

Tutorials for Domino REST API a.k.a. Domino KEEP
SCSS
3
star
35

domino-c-api-docs

The Domino C-API is a set of subroutines and data structures that allows you to write programs that access Domino databases.
3
star
36

WebDevToolkitForDx

The Web Developer toolkit provides the ability to sync themes, content and script portlets (also known as script applications).
JavaScript
3
star
37

appscan-standard-import-urls

An extension which enables to import into AppScan a text file containing a list of URLs.
C#
3
star
38

SecurityAnnotationsDemoApp

A sample application that can used to demonstrate the method-level annotation support in HCL AppScan static analysis
Java
3
star
39

dx-portlet-development-utilities

This repository contains Portlet Development Utilities to create pages via the DX Java API as well as a custom maven archetype to create a new JSR286 portlet.
Java
2
star
40

Notesiniplaybook

An app which helps administrators and end users (who use HCL Notes) to enable and disable INI parameters on the user’s Notes client for troubleshooting purpose
2
star
41

Sametime-Automation

Automation scripts for HCL Sametime Meetings 11.6 deployment on on-prem Kubernetes
Jinja
2
star
42

volt-mx-samples

Official sample applications for use in Volt MX
JavaScript
2
star
43

hcl-commerce-helmchart

HCL Commerce Helm Charts contains helm charts files to deploy HCL Commerce
Smarty
2
star
44

DX-Modules-and-ScriptApps

How-to guides with sample codes that streamline the build and deployment of basic and optimized JavaScript applications to HCL Digital Experience (HCL DX).
JavaScript
2
star
45

leap-doc

HCL Leap Help Center
CSS
2
star
46

appscan-gocd-plugin

Plugin for integrating HCL AppScan on Cloud (ASoC) scanning into GoCD pipelines
Java
2
star
47

domino-design-guide

HCL Domino Design Guide
2
star
48

appscan-dast-action

A GitHub Action for running DAST scans in AppScan on Cloud
PowerShell
2
star
49

Commerce-Avalara-Integration

Avalara Tax has been implemented using Headless REST API's and has been integrated to the React storefront by following the instructions.
TypeScript
2
star
50

experience-api-documentation

HCL DX Experience API Documentation for HCL Ring API, HCL Digital Asset Management API, HCL Image Processor
HTML
2
star
51

hcl-workload-automation-docker-compose

docker-compose file for HCL Workload Automation
Dockerfile
2
star
52

domino-dasie-schema

Specification for the data format used by the Domino Application Source Import/Export (dasie) engine that's new in HCL Notes Designer 14.0.0.
2
star
53

bitbucket-asoc-sast

This is a linux docker image that uses python to download the SAClientUtil from HCL AppScan on Cloud and run static analysis against a build application in Bitbucket pipelines.
Python
2
star
54

traffic-light-web

A traffic light controller implemented in HCL RTist. Communicates with a web server for visualizing application behavior in a web application.
JavaScript
1
star
55

hcl-mkdocs-build-image

COntainers we use to build HCL documentation
Java
1
star
56

commerce-google-image-indexing-search-asset

Provide the capability to index the Google Vision results as part of a searchable context for the catalog images.
TypeScript
1
star
57

ifa-client

HCL AppScan IFA Server Java client tool
Java
1
star
58

sofy-docs

Soon to be the documentation hub for HCL SoFy. This site will be accessible at https://docs.hclsofy.com
HTML
1
star
59

domino-rest-sdk-node

NodeJS SDK to interact with the HCL Domino REST API
TypeScript
1
star
60

appscan-gradle-plugin

Gradle plugin for integrating with HCL AppScan on Cloud
Groovy
1
star
61

domino-charts

A Helm chart for HCL Domino server. Unofficial.
Smarty
1
star
62

domino-rest-adminclient

Admin client for the HCL Domino REST API
TypeScript
1
star
63

file-transfer-dashboards

An example of file transfer dashboard.
1
star
64

leap-custom-widgets

Sample custom widgets for HCL Leap
1
star
65

lib-grpc-server

A sample for DevOps Model RealTime showing how a realtime application can implement a gRPC API which allows other applications to communicate with it.
C++
1
star
66

dxclient-scripts

DXClient is a command line tool featuring a single, unified interface to all HCL DX automation and CI/CD-related tasks.
Shell
1
star
67

commerce-search

This assets provides catalog-search hcl-commerce reference storefronts, by image-search, barcode-search and voice-search.
CSS
1
star
68

hclds-keycloak

The HCL Digital Solutions (DS) Keycloak service is based on Keycloak and adds configuration, an HCL branded login UI and more. It serves as a reference for OIDC based authentication across DS products.
FreeMarker
1
star
69

hcl-commerce-performance

Performance and monitoring assets for HCL Commerce 9.1
Python
1
star
70

voltscript-testing

VoltScript Framework for Unit and Integration Testing
1
star
71

appscan-resources

1
star
72

Verse-Extension-Documentation

JavaScript
1
star
73

connections-ui-docs

Details of the Connections UI components and styles for customizing them
JavaScript
1
star
74

become-an-rtist

Sketch drawing game for the Raspberry Pi with camera and push button. Uses image recognition to recognize a sketch drawn by the player.
JavaScript
1
star
75

dx-metrics-grafana-dashboards

This repository contains Grafana Dashboards in json format that can be imported directly into Grafana. The dashboards are created or customized to be compatible with the metrics exposed by HCL Digital Experience.
1
star
76

voltscript-interface-designer

VoltScript Interface Designer, for scaffolding VoltScript Extensions and Script Library Modules
HTML
1
star
77

qt-traffic-light

A sample application showing how to use code generated by DevOps Model/Code RealTime in a Qt UI application.
C++
1
star
78

appscan-cloud-cli

Command line interface tool for interacting with HCL AppScan on Cloud.
Java
1
star
79

Commerce-Stripe-Payment-Integration

The integration of HCL Commerce with Stripe Payment where HCL Commerce provides commerce functionality and Stripe provides a back-end framework to manage the payments.
TypeScript
1
star
80

pingpong-distributed

An example showing how to build a distributed real-time application using the lib-tcp-server library. Two applications send the events ping and pong back and forth between each other.
1
star
81

appscan-onprem-gitlab

PowerShell
1
star
82

domino-linux

Overview of Linux distributions that Domino is running on
1
star