Dockerized OWASP Benchmark with ByteHide Runtime protecting it at runtime. The runtime
agent is attached to the JVM (-javaagent) without modifying the application code, runs
in block mode, and answers detected attacks with HTTP 403 (RFC 7807).
Everything is self-contained in this folder: docker compose up and it builds and runs.
The OWASP Benchmark has 11 vulnerability categories. Six of them are request-borne attacks that a runtime firewall can intercept; ByteHide Runtime covers all six:
| Category | Test cases | Real vulnerabilities | Protection |
|---|---|---|---|
| SQL injection | 504 | 272 | SQL Injection |
| Cross-site scripting | 455 | 246 | Cross-Site Scripting |
| Path traversal | 268 | 133 | Path Traversal |
| Command injection | 251 | 126 | Command Injection |
| LDAP injection | 59 | 27 | LDAP Injection |
| XPath injection | 35 | 15 | XPath Injection |
The remaining five categories (weak cryptography, insecure hashing, weak randomness, insecure cookies and trust-boundary violations) are internal misuses of crypto/RNG/session APIs, not injectable payloads, so they are out of scope for runtime request protection.
Added to the Benchmark repository:
README.md # this guide (run the protected Benchmark + scorecard)
README.original.md # the upstream OWASP Benchmark README
docker-compose.yml # the protected Benchmark service (run from the repo root)
.env.example # environment template (set your BYTEHIDE_MONITOR_TOKEN)
bytehide-runtime/
├─ Dockerfile # builds the Benchmark and runs Tomcat with ByteHide Runtime attached
├─ packages/
│ ├─ monitor-java-agent-1.0.4.jar # ByteHide Runtime agent
│ ├─ monitor-config.json # ByteHide Runtime agent configuration
│ └─ servlet-api.jar # used by the inbound request scan
└─ attack/
└─ attack-scorecard.py # measures recall (blocked attacks) and false positives
- Docker with Docker Compose.
- Give Docker enough memory (≈6 GB recommended; the Benchmark is large).
- Python 3 on the host to run the scorecard (standard library only, no packages to install).
From the repository root, copy the env template and set your ByteHide Runtime token (required):
cp .env.example .env
# edit .env and set BYTEHIDE_MONITOR_TOKEN=bh_... (required; compose will not start without it)
docker compose up -d --buildThe first build compiles the Benchmark and may take several minutes. When it is ready the app is available at:
- https://localhost:9443/benchmark (self-signed certificate)
Check that ByteHide Runtime started:
docker compose logs benchmark | grep -i bytehideA real attack is blocked with 403; a benign request goes through:
# Attack -> 403 (blocked by ByteHide Runtime)
curl -k "https://localhost:9443/benchmark/sqli-00/BenchmarkTest00001" \
-d "username=admin&password=' OR '1'='1' --"
# Benign -> normal response
curl -k "https://localhost:9443/benchmark/sqli-00/BenchmarkTest00001" \
-d "username=admin&password=hunter2"BENCH_URL=https://localhost:9443/benchmark python3 bytehide-runtime/attack/attack-scorecard.pyFor each test case of the six runtime-applicable categories the scorecard runs two passes:
- Attack — sends a real exploit to each truly-vulnerable endpoint. A 403 means ByteHide Runtime blocked the attack (recall / true-positive rate).
- Benign — replays the Benchmark's own benign values to every endpoint. A 403 here would be a false positive (blocking legitimate traffic).
It prints recall and false positives per category and writes scorecard.csv.
ByteHide Runtime requires a project token (BYTEHIDE_MONITOR_TOKEN in .env); docker compose
will not start without it. The agent applies your ByteHide Runtime project's policy, so make sure
that project's protections are in block mode — in log mode attacks are detected but not
blocked, and the scorecard will report them as not blocked.
The Benchmark's own crawler sends benign inputs, because it is designed to score static and data-flow analysis tools. With benign traffic a runtime firewall correctly blocks nothing, so the crawler cannot measure it. The scorecard instead drives real attack payloads against the vulnerable endpoints and measures what gets blocked.
docker compose up -d --build --force-recreate- The HTTPS certificate is self-signed (use
-kwith curl / accept it in the browser). - To use a different host port, set
BENCH_HOST_PORTin.env(the port inside the container stays 9443). - The protection set and actions are defined in
packages/monitor-config.json.