{"id":13837562,"url":"https://github.com/JoyChou93/java-sec-code","last_synced_at":"2025-07-10T18:33:38.918Z","repository":{"id":38420584,"uuid":"115394871","full_name":"JoyChou93/java-sec-code","owner":"JoyChou93","description":"Java web common vulnerabilities and security code which is base on springboot and spring security","archived":false,"fork":false,"pushed_at":"2024-12-02T20:14:27.000Z","size":468,"stargazers_count":2513,"open_issues_count":5,"forks_count":679,"subscribers_count":41,"default_branch":"master","last_synced_at":"2025-05-21T03:09:22.917Z","etag":null,"topics":["benchmark","code","cors","deserialize","java","jsonp","rce","rmi","security","spel","sqli","ssrf","tomcat","web","xxe"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JoyChou93.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-12-26T06:54:35.000Z","updated_at":"2025-05-15T17:10:46.000Z","dependencies_parsed_at":"2024-05-30T05:09:47.801Z","dependency_job_id":"9a5d691d-45a8-4c86-9f47-ccf7bb563e8e","html_url":"https://github.com/JoyChou93/java-sec-code","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/JoyChou93/java-sec-code","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JoyChou93%2Fjava-sec-code","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JoyChou93%2Fjava-sec-code/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JoyChou93%2Fjava-sec-code/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JoyChou93%2Fjava-sec-code/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JoyChou93","download_url":"https://codeload.github.com/JoyChou93/java-sec-code/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JoyChou93%2Fjava-sec-code/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264631212,"owners_count":23640941,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["benchmark","code","cors","deserialize","java","jsonp","rce","rmi","security","spel","sqli","ssrf","tomcat","web","xxe"],"created_at":"2024-08-04T15:01:14.048Z","updated_at":"2025-07-10T18:33:38.632Z","avatar_url":"https://github.com/JoyChou93.png","language":"Java","readme":"# Java Sec Code\n\n\nJava sec code is a very powerful and friendly project for learning Java vulnerability code.\n\n[中文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README_zh.md) 😋\n\n## Recruitment\n\n[Alibaba-Security attack and defense/research（P5-P7）](https://github.com/JoyChou93/java-sec-code/wiki/Alibaba-Purple-Team-Job-Description)\n\n\n## Introduce\n\nThis project can also be called Java vulnerability code. \n\nEach vulnerability type code has a security vulnerability by default unless there is no vulnerability. The relevant fix code is in the comments or code. Specifically, you can view each vulnerability code and comments.\n\nDue to the server expiration, the online demo site had to go offline.\n\nLogin username \u0026 password:\n\n```\nadmin/admin123\njoychou/joychou123\n```\n\n\n## Vulnerability Code\n\nSort by letter.\n\n- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback-online.xml)\n- [CommandInject](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CommandInject.java)\n- [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)\n- [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)\n- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)\n- [CVE-2022-22978](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)\n- [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)\n- [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)\n- [File Upload](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)\n- [GetRequestURI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/GetRequestURI.java)\n- [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)\n- [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)\n- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Jsonp.java)\n- [Log4j](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Log4j.java)\n- [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)\n- [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)\n- [QLExpress](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/QLExpress.java)\n- [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)\n  - Runtime\n  - ProcessBuilder\n  - ScriptEngine\n  - Yaml Deserialize  \n  - Groovy\n- [Shiro](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Shiro.java)\n- [Swagger](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/config/SwaggerConfig.java)\n- [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)\n- [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)\n- [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)\n- [SSTI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSTI.java)\n- [URL Redirect](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java)\n- [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)\n- [xlsxStreamerXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java)\n- [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)\n- [XStream](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XStreamRce.java)\n- [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)\n- [JWT](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Jwt.java)\n\n\n## Vulnerability Description\n\n- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/wiki/Actuators-to-RCE)\n- [CORS](https://github.com/JoyChou93/java-sec-code/wiki/CORS)\n- [CSRF](https://github.com/JoyChou93/java-sec-code/wiki/CSRF)\n- [Deserialize](https://github.com/JoyChou93/java-sec-code/wiki/Deserialize)\n- [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)\n- [Java RMI](https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI)\n- [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)\n- [POI-OOXML XXE](https://github.com/JoyChou93/java-sec-code/wiki/Poi-ooxml-XXE)\n- [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)\n- [SSRF](https://github.com/JoyChou93/java-sec-code/wiki/SSRF)\n- [SSTI](https://github.com/JoyChou93/java-sec-code/wiki/SSTI)\n- [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)\n- [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)\n- [JWT](https://github.com/JoyChou93/java-sec-code/wiki/JWT)\n- [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)\n\n## How to run\n\nThe application will use mybatis auto-injection. Please run mysql server ahead of time and configure the mysql server database's name and username/password except docker environment.\n\n``` \nspring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code\nspring.datasource.username=root\nspring.datasource.password=woshishujukumima\n```\n\n- Docker\n- IDEA\n- Tomcat\n- JAR\n\n### Docker\n\n\nStart docker:\n\n``` \ndocker-compose pull\ndocker-compose up\n```\n\n\nStop docker:\n\n```\ndocker-compose down\n```\n\nDocker's environment:\n\n- Java 1.8.0_102\n- Mysql 8.0.17\n- Tomcat 8.5.11\n\n\n### IDEA\n\n- `git clone https://github.com/JoyChou93/java-sec-code`\n- Open in IDEA and click `run` button.\n\nExample:\n\n```\nhttp://localhost:8080/rce/exec?cmd=whoami\n```\n\nreturn:\n\n```\nViarus\n```\n\n### Tomcat\n\n- `git clone https://github.com/JoyChou93/java-sec-code` \u0026 `cd java-sec-code`\n- Build war package by `mvn clean package`.\n- Copy war package to tomcat webapps directory.\n- Start tomcat application.\n\nExample:\n\n```\nhttp://localhost:8080/java-sec-code-1.0.0/rce/runtime/exec?cmd=whoami\n```\n\nreturn:\n\n```\nViarus\n```\n\n\n### JAR\n\nChange `war` to `jar` in `pom.xml`.\n\n```xml\n\u003cgroupId\u003esec\u003c/groupId\u003e\n\u003cartifactId\u003ejava-sec-code\u003c/artifactId\u003e\n\u003cversion\u003e1.0.0\u003c/version\u003e\n\u003cpackaging\u003ewar\u003c/packaging\u003e\n```\n\nBuild package and run.\n\n```\ngit clone https://github.com/JoyChou93/java-sec-code\ncd java-sec-code\nmvn clean package -DskipTests \njava -jar target/java-sec-code-1.0.0.jar\n```\n\n## Authenticate\n\n### Login\n\n[http://localhost:8080/login](http://localhost:8080/login)\n\nIf you are not logged in, accessing any page will redirect you to the login page. The username \u0026 password are as follows.\n\n```\nadmin/admin123\njoychou/joychou123\n```\n\n### Logout\n\n[http://localhost:8080/logout](http://localhost:8080/logout)\n\n### RememberMe\n\nTomcat's default JSESSION session is valid for 30 minutes, so a 30-minute non-operational session will expire. In order to solve this problem, the rememberMe function is introduced, and the default expiration time is 2 weeks.\n\n\n## Contributors\n\nCore developers : [JoyChou](https://github.com/JoyChou93), [liergou9981](https://github.com/liergou9981)\nOther developers: [lightless](https://github.com/lightless233),  [Anemone95](https://github.com/Anemone95), [waderwu](https://github.com/waderwu). \n\n\n## Support\n\nIf you like the poject, you can star java-sec-code project to support me. With your support, I will be able to make `Java sec code` better 😎.\n","funding_links":[],"categories":["Java","Java (504)","Web安全"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FJoyChou93%2Fjava-sec-code","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FJoyChou93%2Fjava-sec-code","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FJoyChou93%2Fjava-sec-code/lists"}