Skip to content

A Java Web Application with common legacy security flaws for tests with Arachni Scanner and ModSecurity

License

Notifications You must be signed in to change notification settings

Dikhanbayev/VulnerableJavaWebApplication

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

44 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Vulnerable Java Web Application

This repository provides a simple and self-contained Java web application with security flaws common to mid-00's legacy projects that have not been updated.

The application uses Spring Boot and an embedded H2 database that resets every time it starts. If you break it just restart and everything will be reset.

The application will run on HTTPS port 9000. If this port is not available you will need to change the application.properties file on the source folder with the new one. (if you are using docker you just need to map the container's 9000 port to another port in the host).

Running the application manually

If you have a Java 8 + Maven 3.x development environment, just import the project on your IDE and run the class com.github.rafaelrpinto.vulnerablejavawebapp.config.AppLauncher.

Running with docker

If your workstation is not configured for Java 8 development the easiest way to run the application is with Docker.

# gets the code
git clone https://github.com/rafaelrpinto/VulnerableJavaWebApplication
cd VulnerableJavaWebApplication

# creates the docker image
docker build -t vulnerable-java-application:0.1 .

# creates/starts the container
docker run --name vulnerable-java-application -p 9000:9000 -d vulnerable-java-application:0.1

Testing the application with Arachni and ModSecurity

The ARACHNI.MD file has an example of default security scan with automatic login and other tweaks enabled. For more scanning options check https://github.com/Arachni/arachni.

The ModSecurity scripts to protect this application are available in my other repository.

The article that I wrote explaining how to use Arachni to check this application is available on linkedin.

If is there any problem running the application or you want to add more security flaws, feel free to open an issue or send a pull request.

About

A Java Web Application with common legacy security flaws for tests with Arachni Scanner and ModSecurity

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Java 98.7%
  • Dockerfile 1.3%