In this step by step workshop, you'll learn how to exploit this Java application and the code changes you need to make to fix it.
- Java 8
- Maven
- Browser (preferably Chrome)
- IDE / Code editor
This workshop contains a demo Java application build on with Spring boot and Thymeleaf. It contains a number of security issues in the source code. During this workshop, you will locate, exploit and fix the vulnerabilities in this application.
The vulnerabilities covered in this workshop:
- XML External entity injection (XXE)
- SQL injection
- Cross-site scripting (XSS)
- Encryption
- Check out the repository
- go to the
java-code-workshop
folder - Run
mvn clean package
- Run
mvn spring-boot:run
Alternatively, you can run this Spring boot app from your IDE if you wish to do that.
When your application is running you can access it at http://localhost:8080/
This application allows you to search through a user database and allows you to do some basic admin tasks on that. Play around for a bit to see how it works.
On the Search page, you can search the users by username.
By using a %
you can provide wildcards. For instance Super%
will give you the result for Superman
Using the search term %man
Click to see Hint 1
Click to see Hint 2
Click to see Hint 3
Click to see Hint 4
Click to see Hint 5
Click to see Hint 6
Click to see Hint 7
On the import page, you can import new users by using an XML.
We already created a sample XML file users.xml
that you can use to import new users
2b edit the file so we can read the etc/passwd
file on your machine (or any other file for that matter)
Click to see Hint 1
Click to see Hint 2
Click to see Hint 3
Click to see Hint 4
Click to see Hint 5
Click to see Hint 6
Click to see Hint 7
Click to see Hint 8
On the Add User page you can manually add new Users This is quite straight forward.
Click to see Hint 1
Click to see Hint 2
Click to see Hint 3
Click to see Hint 4
We just proved that we can execute code in the user’s browser.
We also showed that we can simple access and display the cookie. Imagine that we send this token in the cookie to another website and take over your session?
Click to see Hint 5
Click to see Hint 6
Click to see Hint 7
The password of the users are stored in plain text. This is not recommended as the passwords are readable by default. For storing password it is recommended to use a strong cryptographic hashing function.
In short: a hashing function is a one-way 'encryption' function that transforms a String into a fixed-sized sequence of characters (the hash). The function is irreversible so you cannot use the function to recover the original Sting. A cryptographic hashing function is a hashing function that is suitable for cryptographic purposes. More info ...
Click to see Hint 1
Click to see Hint 2
Click to see Hint 3
4b Make sure that the password for a User
is not stored in plain text. Instead, store the BCrypt hash
Click to see Hint 4
Click to see Hint 5
You can test the password of a user by clicking the blue "Test password ..." button in the Search page. A new page will open where you can enter the original password. Make sure that this functionality works again.
Click to see Hint 6
Click to see Hint 7
Click to see Hint 8