Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/joychou93/java-sec-code

Java web common vulnerabilities and security code which is base on springboot and spring security
https://github.com/joychou93/java-sec-code

benchmark code cors deserialize java jsonp rce rmi security spel sqli ssrf tomcat web xxe

Last synced: 26 days ago
JSON representation

Java web common vulnerabilities and security code which is base on springboot and spring security

Host: GitHub
URL: https://github.com/joychou93/java-sec-code
Owner: JoyChou93
Created: 2017-12-26T06:54:35.000Z (almost 7 years ago)
Default Branch: master
Last Pushed: 2024-02-01T22:05:21.000Z (9 months ago)
Last Synced: 2024-02-17T10:38:53.514Z (9 months ago)
Topics: benchmark, code, cors, deserialize, java, jsonp, rce, rmi, security, spel, sqli, ssrf, tomcat, web, xxe
Language: Java
Homepage:
Size: 427 KB
Stars: 2,180
Watchers: 47
Forks: 625
Open Issues: 15
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        # Java Sec Code

Java sec code is a very powerful and friendly project for learning Java vulnerability code.

[中文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README_zh.md) 😋

## Recruitment

[Alibaba-Security attack and defense/research（P5-P7）](https://github.com/JoyChou93/java-sec-code/wiki/Alibaba-Purple-Team-Job-Description)

## Introduce

This project can also be called Java vulnerability code. 

Each vulnerability type code has a security vulnerability by default unless there is no vulnerability. The relevant fix code is in the comments or code. Specifically, you can view each vulnerability code and comments.

Due to the server expiration, the online demo site had to go offline.

Login username & password:

```

admin/admin123

joychou/joychou123

```

## Vulnerability Code

Sort by letter.

- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback-online.xml)

- [CommandInject](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CommandInject.java)

- [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)

- [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)

- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)

- [CVE-2022-22978](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)

- [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)

- [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)

- [File Upload](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)

- [GetRequestURI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/GetRequestURI.java)

- [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)

- [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)

- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Jsonp.java)

- [Log4j](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Log4j.java)

- [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)

- [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)

- [QLExpress](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/QLExpress.java)

- [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)

  - Runtime

  - ProcessBuilder

  - ScriptEngine

  - Yaml Deserialize  

  - Groovy

- [Shiro](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Shiro.java)

- [Swagger](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/config/SwaggerConfig.java)

- [SpEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SpEL.java)

- [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)

- [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java)

- [SSTI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSTI.java)

- [URL Redirect](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java)

- [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java)

- [xlsxStreamerXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/xlsxStreamerXXE.java)

- [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java)

- [XStream](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XStreamRce.java)

- [XXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XXE.java)

- [JWT](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Jwt.java)

## Vulnerability Description

- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/wiki/Actuators-to-RCE)

- [CORS](https://github.com/JoyChou93/java-sec-code/wiki/CORS)

- [CSRF](https://github.com/JoyChou93/java-sec-code/wiki/CSRF)

- [Deserialize](https://github.com/JoyChou93/java-sec-code/wiki/Deserialize)

- [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson)

- [Java RMI](https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI)

- [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP)

- [POI-OOXML XXE](https://github.com/JoyChou93/java-sec-code/wiki/Poi-ooxml-XXE)

- [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject)

- [SSRF](https://github.com/JoyChou93/java-sec-code/wiki/SSRF)

- [SSTI](https://github.com/JoyChou93/java-sec-code/wiki/SSTI)

- [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass)

- [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE)

- [JWT](https://github.com/JoyChou93/java-sec-code/wiki/JWT)

- [Others](https://github.com/JoyChou93/java-sec-code/wiki/others)

## How to run

The application will use mybatis auto-injection. Please run mysql server ahead of time and configure the mysql server database's name and username/password except docker environment.

``` 

spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code

spring.datasource.username=root

spring.datasource.password=woshishujukumima

```

- Docker

- IDEA

- Tomcat

- JAR

### Docker

Start docker:

``` 

docker-compose pull

docker-compose up

```

Stop docker:

```

docker-compose down

```

Docker's environment:

- Java 1.8.0_102

- Mysql 8.0.17

- Tomcat 8.5.11

### IDEA

- `git clone https://github.com/JoyChou93/java-sec-code`

- Open in IDEA and click `run` button.

Example:

```

http://localhost:8080/rce/exec?cmd=whoami

```

return:

```

Viarus

```

### Tomcat

- `git clone https://github.com/JoyChou93/java-sec-code` & `cd java-sec-code`

- Build war package by `mvn clean package`.

- Copy war package to tomcat webapps directory.

- Start tomcat application.

Example:

```

http://localhost:8080/java-sec-code-1.0.0/rce/runtime/exec?cmd=whoami

```

return:

```

Viarus

```

### JAR

Change `war` to `jar` in `pom.xml`.

```xml

sec

java-sec-code

1.0.0

war

```

Build package and run.

```

git clone https://github.com/JoyChou93/java-sec-code

cd java-sec-code

mvn clean package -DskipTests 

java -jar target/java-sec-code-1.0.0.jar

```

## Authenticate

### Login

[http://localhost:8080/login](http://localhost:8080/login)

If you are not logged in, accessing any page will redirect you to the login page. The username & password are as follows.

```

admin/admin123

joychou/joychou123

```

### Logout

[http://localhost:8080/logout](http://localhost:8080/logout)

### RememberMe

Tomcat's default JSESSION session is valid for 30 minutes, so a 30-minute non-operational session will expire. In order to solve this problem, the rememberMe function is introduced, and the default expiration time is 2 weeks.

## Contributors

Core developers : [JoyChou](https://github.com/JoyChou93), [liergou9981](https://github.com/liergou9981)

Other developers: [lightless](https://github.com/lightless233),  [Anemone95](https://github.com/Anemone95), [waderwu](https://github.com/waderwu). 

## Support

If you like the poject, you can star java-sec-code project to support me. With your support, I will be able to make `Java sec code` better 😎.