{"id":17004327,"url":"https://github.com/msdousti/owasp-java","last_synced_at":"2025-10-07T20:10:21.510Z","repository":{"id":168154415,"uuid":"220544504","full_name":"msdousti/OWASP-Java","owner":"msdousti","description":"A seriously flawed Java project for teaching \"OWASP Top 10 - 2017\" concepts.","archived":false,"fork":false,"pushed_at":"2022-11-27T14:04:13.000Z","size":1273,"stargazers_count":4,"open_issues_count":0,"forks_count":10,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-04-19T13:43:43.210Z","etag":null,"topics":["css","intellij-idea","java","javascript","jsp","maven","mysql","owasp-top-10","payara-server","security","servlet","web"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/msdousti.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-11-08T20:42:53.000Z","updated_at":"2022-12-08T03:31:26.000Z","dependencies_parsed_at":null,"dependency_job_id":"d66d9c41-278d-4c48-8b3f-8fe8f5ddc21f","html_url":"https://github.com/msdousti/OWASP-Java","commit_stats":null,"previous_names":["msdousti/owasp-java"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/msdousti/OWASP-Java","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/msdousti%2FOWASP-Java","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/msdousti%2FOWASP-Java/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/msdousti%2FOWASP-Java/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/msdousti%2FOWASP-Java/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/msdousti","download_url":"https://codeload.github.com/msdousti/OWASP-Java/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/msdousti%2FOWASP-Java/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278838434,"owners_count":26054720,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-07T02:00:06.786Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["css","intellij-idea","java","javascript","jsp","maven","mysql","owasp-top-10","payara-server","security","servlet","web"],"created_at":"2024-10-14T04:43:21.407Z","updated_at":"2025-10-07T20:10:21.503Z","avatar_url":"https://github.com/msdousti.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OWASP Java - Vulnerability Showcase\n\n![Serious warning](extra/images/Danger.png)\n\nA **seriously flawed** Java project for teaching [OWASP Top 10 - 2017](https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf) concepts.\n\n```\nDO NOT USE ANY PART OF THIS CODE IN PRODUCTION.\n```\n\n## Getting Started\n\nThese instructions will get you a copy of the project up and running on your local machine for development and testing purposes.\n\n### Prerequisites\n\nYou'll need:\n\n* [JDK 11](https://www.oracle.com/javadownload). I used  version \"11.0.5\" 2019-10-15 LTS.\n* [Payara Server](https://www.payara.fish/software/downloads/). I used version Payara Server 5.193.1 Full.\n* [MySQL Community Server 8](https://dev.mysql.com/downloads/mysql/). I used MySQL Community Server 8.0.18.\n* [MySQL Connector/J 8](https://dev.mysql.com/downloads/connector/j/). I used \"Platform Independent,\" version 8.0.18.\n* [IntelliJ IDEA](https://www.jetbrains.com/idea/). Not a prerequisite per se, but it would be hard to work with the project without it. I used IntelliJ IDEA 2019.2.3.\n\n#### JDK 11\nInstall JDK, and configure environment variables `JAVA_HOME` and `PATH` properly. Some guidelines are provided in [this Stackoverflow post](https://stackoverflow.com/q/1672281/459391).\n\nOpen a command prompt, and make sure everything works smoothly:\n\n![Setting up JDK-11](extra/images/jdk-11.png)\n\n#### MySQL Community Server 8\nUnzip MySQL, and go to the `bin` directory. Execute the following command (*not recommended* for production environments):\n```\nmysqld --initialize-insecure\n```\n\nThis command initializes the data directory, and creates a `'root'@'localhost'` superuser account with empty password.\n\nTo install the service on Windows machines, run:\n```\nmysqld --install\n```\n\nFinally, to start the service, run:\n```\nsc start mysql\n```\n\nTo check whether the installation was successful, issue the command `mysql -uroot`: \n![MySQL console](extra/images/mysql.png)\n\nType `exit`, and press `Enter` to get out of MySQL console.\n\nWe need to create our sample database, and populate it with sample data. The SQL file is called [testdb.sql](extra/testdb.sql). Download it to MySQL `bin` directory, and from there execute the following command:\n```\nmysql -uroot \u003c testdb.sql\n```\n\nIf everything goes smoothly, you can issue the commands and see the results as shown below: \n\n![MySQL - check database creation and data population](extra/images/mysql-2.png)\n\nFinally, change the `root` password to `123456`, as empty passwords will not be accepted by Payara Server (next step). Notice that the password itself, as well as the following method for changing the password, are **totally insecure**:\n```\nmysqladmin --user=root password \"123456\"\n``` \n\n#### Payara Server\nDownload and extract Payara Server, as well as MySQL Connector/J. I extracted the latter to `C:\\tmp\\mysql-connector-java-8.0.18.jar`.\n\nMake sure you followed the instructions for installing and configuring JDK-11. Start Payara Server using the following command:\n```\nasadmin start-domain\n```\n\nNext, install MySQL Connector/J:\n```\nasadmin add-library C:\\tmp\\mysql-connector-java-8.0.18.jar\n```\n\nHere's a snapshot of how things should look like:\n\n![Payara - starting server and installing MySQL Connector/J](extra/images/payara.png)\n\nOpen [Payara Web Console](http://localhost:4848/), and navigate to `Resources → JDBC → JDBC Connection Pools`. Click the `New` buttton.\n\n![Payara - creating new connection pool](extra/images/payara-new-cp.png)\n\nFor Step 1, fill in the information exactly as follows:\n\n![Payara - connection pool - step 1 of 2](extra/images/payara-new-cp-step1.png)\n\nFor Step 2, scroll down until you see the `Additional Properties`:\n\n![Payara - connection pool - step 2 of 2](extra/images/payara-new-cp-step2.png)\n\nYou have to set the following properties (sorted alphabetically):\n\n* `allowPublicKeyRetrieval` – Whether the client is allowed to automatically request the public key from the server. Set to `true`. (Not recommended in production environments)\n* `DatabaseName` – The name of the database you want to connect to. In this case, `testdb`.\n* `Password`: The password for the specified user. Here, it's `123456`.\n* `ServerName`: The location of the MySQL server. In this case `localhost`.\n* `sslMode`: Whether SSL is used for connecting to MySQL server. Set it to `DISABLED`. (Not recommended in production environments)\n* `URL` and `Url`: The JDBC URL to be used. Here, set it to `jdbc:mysql://localhost:3306/testdb`.\n* `User`: The username for connecting to the database. Here, it's `root`.\n\nHit the `Finish` button. Click the newly created connection pool. In the `General` tab, click the `Ping` button. If everything goes right, you should see the following:\n\n![Payara - connection pool - Ping](extra/images/payara-new-cp-step2.png)\n\nSimilarly, create another connection pool called `MySQL_readonly_Pool`. The Step 1 is the same as the previous connection pool. For Step 2, set the `Additional Properties` as follows:\n\n* `allowPublicKeyRetrieval: true`.\n* `DatabaseName:            testdb`.\n* `Password:                MyVeryLongPassphrase`.\n* `ServerName:              localhost`.\n* `sslMode:                 DISABLED`.\n* `URL:                     jdbc:mysql://localhost:3306/testdb`.\n* `Url:                     jdbc:mysql://localhost:3306/testdb`.\n* `User:                    readonly`.\n\nWe need to set up the JDBC resources. Go to `Resources → JDBC → JDBC Resources`, and click `New`. Fill in the form as follows:\n\n* `JNDI Name: jdbc/MySQL_root_DataSource`\n* `Connection Pool: MySQL_root_Pool`\n\n![Payara - JDBC Resources](extra/images/payara-new-jdbc-res.png)\n\nSimilarly, do this for the second connection pool:\n* `JNDI Name: jdbc/MySQL_readonly_DataSource`\n* `Connection Pool: MySQL_readonly_Pool`\n\nFinally, issue the following command to stop the Payara Server. \n```\nasadmin stop-domain\n```\nThis is done since IntelliJ IDEA automatically starts the server.\n\n#### IntelliJ IDEA\nOpen the project in IntelliJ IDEA. It notifies you that `Web framework is detected`:\n\n![Frameworks Detected](extra/images/intellij-framework-detected.png)\n\nClick `Configure` to open the `Setup Frameworks` window. Then, simply click OK:\n\n![Setup Frameworks](extra/images/intellij-setup-frameworks.png)\n\nSelect `Run → Edit Configurations...`. Open  `Templates → GlassFish Server → Local`. Click `Configure`:\n\n![Edit GlassFish template](extra/images/intellij-glassfish-local.png)\n\nSelect `GlassFish Home`. If selected correctly, IntelliJ will automatically detect the `GlassFish Version`:\n\n![GlassFish Home](extra/images/intellij-glassfish-home.png)\n\nClick `OK`. From the `Server Domain` drop-down box, select `domain1`.\n\n![Server Domain](extra/images/intellij-domain1.png)\n\nClick `Apply`. You now have a proper GlassFish template which you can use across multiple projects. But for each project, you need to configure the \"artifact\" to be deploed. To this end, click the `+` at the top-left, and select `GlassFish Server → Local`:\n\n![New Configuration](extra/images/intellij-new-config.png)\n\nIn the bottom, IntelliJ warns you that `No artifacts configured`. Simply click on the `Fix` button.\n\n![No artifacts configured](extra/images/intellij-no-artifacts.png)\n\nThen, in the `Artifacts` window, click on the `+` sign, and choose `Web Application Exploded → From Modules`\n\n![New Artifact](extra/images/intellij-artifacts.png)\n\nPick the only available module, i.e., `OWASP-JAVA`, and click OK.\n\n![Select modules](extra/images/intellij-select-modules.png)\n\nClick OK to return to the `Run/Debug Configurations`. At the bottom, you'll see one more warning: `Debug settings are invalid or not suitable for local debugging`. Click the `Fix` button, and IntelliJ will take care of that for you.\n\n![Fix debug settings](extra/images/intellij-debug-settings.png)\n\nYou can now run the project. IntelliJ automatically opens your default browser, and navigates to `http://localhost:8080/OWASP_Java_war_exploded/`:\n\n![Login Page](extra/images/browser-1.png)\n\nEnter the following credentials:\n* Username: `kambiz`\n* Password: `1`\n\nIf everything works correctly, you'll be redirected to the user home page:\n\n![Home Page](extra/images/browser-2.png)\n\nOtherwise, you might need to look at GlassFish logs, as reported by IntelliJ, to see what went wrong.\n\n![GlassFish logs](extra/images/intellij-glassfish-log.png)\n\nBy the way, I use the [Grep Console](https://plugins.jetbrains.com/plugin/7125-grep-console) plugin for analyzing logs easier.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmsdousti%2Fowasp-java","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmsdousti%2Fowasp-java","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmsdousti%2Fowasp-java/lists"}