k-tamura / easybuggy Goto Github PK

Too buggy web application

License: Apache License 2.0

Java 98.55% HTML 1.02% Dockerfile 0.43%

java buggy vulnerabilities errors exceptions troubleshooting performance

easybuggy's Introduction

EasyBuggy 🚼

EasyBuggy is a broken web application in order to understand behavior of bugs and vulnerabilities, for example, memory leak, deadlock, JVM crash, SQL injection and so on.

🕓 Quick Start

$ mvn clean install

( or java -jar easybuggy.jar or deploy ROOT.war on your servlet container with the JVM options. )

Access to

http://localhost:8080

🕓 Quick Start(Docker)

$ docker build . -t easybuggy:local # Build container image
$ docker run -p 8080:8080 easybuggy:local # Start easybuggy

Access to

http://localhost:8080

To stop:

Use CTRL+C ( or access to: http://localhost:8080/exit )

🕓 For more detail

See the wiki page.

🕓 Demo

This demo shows: Start up -> Infinite Loop -> LDAP Injection -> UnsatisfiedLinkError -> BufferOverflowException -> Deadlock -> Memory Leak -> JVM Crash (Shut down)

🕓 EasyBuggy can reproduce:

Troubles
- Memory Leak (Java heap space)
- Memory Leak (PermGen space)
- Memory Leak (C heap space)
- Deadlock (Java)
- Deadlock (SQL)
- Endless Waiting Process
- Infinite Loop
- Redirect Loop
- Forward Loop
- JVM Crash
- Network Socket Leak
- Database Connection Leak
- File Descriptor Leak
- Thread Leak
- Mojibake
- Integer Overflow
- Round Off Error
- Truncation Error
- Loss of Trailing Digits
Vulnerabilities
- XSS (Cross-Site Scripting)
- SQL Injection
- LDAP Injection
- Code Injection
- OS Command Injection (OGNL Expression Injection)
- Mail Header Injection
- Null Byte Injection
- Extension Unrestricted File Upload
- Size Unrestricted File Upload
- Open Redirect
- Brute-force Attack
- Session Fixation Attacks
- Verbose Login Error Messages
- Dangerous File Inclusion
- Directory Traversal
- Unintended File Disclosure
- CSRF (Cross-Site Request Forgery)
- XEE (XML Entity Expansion)
- XXE (XML eXternal Entity)
- Clickjacking
Performance Degradation
- Slow Regular Expression Parsing
- Delay of creating string due to +(plus) operator
- Delay due to unnecessary object creation
Errors
- AssertionError
- ExceptionInInitializerError
- FactoryConfigurationError
- GenericSignatureFormatError
- NoClassDefFoundError
- OutOfMemoryError (Java heap space)
- OutOfMemoryError (Requested array size exceeds VM limit)
- OutOfMemoryError (unable to create new native thread)
- OutOfMemoryError (GC overhead limit exceeded)
- OutOfMemoryError (PermGen space)
- OutOfMemoryError (Direct buffer memory)
- StackOverflowError
- TransformerFactoryConfigurationError
- UnsatisfiedLinkError

🕓 EasyBuggy clones:

EasyBuggy Boot

EasyBuggy clone build on Spring Boot
EasyBuggy Bootlin

EasyBuggy clone build on Spring Boot and written in Kotlin
EasyBuggy Django

EasyBuggy clone build on Django 2 and written in Python

easybuggy's People

Contributors

Stargazers

Watchers

Forkers

annpin yosuke310 y-oda mmizutani hatimiti toya256 takkyuuplayer legionregion hildebrandttk tsuji nobu12 xiaoyan1985 velaciela-ringwing2007 cyoco bravery9 modulexcite a-min3 mickey8 imulmul rezaduty orinbou bds1965 takashi-tanaka icukeup romayankin ds-trung-nguyen ds-que-bui kiwamu-donuts josh31080bolt cx-demo br-demo-org rjg-ws-demo vjohari hitsumabushi845 quentin-jaquier-sonarsource cmaheshbl kfwhitsource yarivshapira toshi-snyk ksoma105 xsenonn rinkal26 shai-ghe nircheckmarx hareeshvp anaplantestenv adamthecreator samheadrickcx s-bandou hotogayato coffeeforyou istvanbenedek autoscanforjavafork tdc-yamada-ya santiagotoro97 joshbnewton-sast guiboy424 andipodgorica antomon0 link3force domigg alvaritocaro sergioerramuzpe penguinmura sharonkoch cheewxiang joshnewton31080 menddemo-josh joshn-sast-test rsoreq-mend vulnerable-apps robertmicklecx specbiz-dev shaneclarke-whitesource piotrkozowicz marcdonovan nirshaharabani kobtea jeenafrancis joecare svg-codecat luisillobret2 feemstr reddymmkr jesse-ghe-2 devopsadmin12 lukebrogan-mend nashatamer joshnewton31080 joshbnewton31080 tjarrettveracode gabrielparadis2 lucassasha miora-rr ferieltabbane spanyala requisssent deanshapira benjaminb-charest aadav86

easybuggy's Issues

EasyBuggy Windows MSI Installer

JSON.parse() does not work with OpnJDK 1.7.0_79 on CentOS 6.3

JSON.parse() does not work with OpnJDK 1.7.0_79 on CentOS 6.3.

sun.org.mozilla.javascript.EcmaError: ReferenceError: "JSON" is not defined.

Fail to build with JDK 11.0.6 + Maven 3.6.3

Hello,

I can't build this project using JDK 11.0.6 and Apache Maven 3.6.3

$ java -version
openjdk version "11.0.6" 2020-01-14
OpenJDK Runtime Environment AdoptOpenJDK (build 11.0.6+10)
OpenJDK 64-Bit Server VM AdoptOpenJDK (build 11.0.6+10, mixed mode)

I'm getting this error:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:2.3.2:compile (default-compile) on project easybuggy: Compilation failure
[ERROR] error: error while generating class <anonymous org.t246osslab.easybuggy.errors.GenericSignatureFormatErrorServlet$1>
[ERROR]
[ERROR] -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:2.3.2:compile (default-compile) on project easybuggy: Compilation failure
error: error while generating class <anonymous org.t246osslab.easybuggy.errors.GenericSignatureFormatErrorServlet$1>

    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:193)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:566)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: org.apache.maven.plugin.CompilationFailureException: Compilation failure
error: error while generating class <anonymous org.t246osslab.easybuggy.errors.GenericSignatureFormatErrorServlet$1>

    at org.apache.maven.plugin.AbstractCompilerMojo.execute (AbstractCompilerMojo.java:656)
    at org.apache.maven.plugin.CompilerMojo.execute (CompilerMojo.java:128)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:193)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:566)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)

FileNotFoundException on Jetty * Windows

If using Jetty on Windows, the following exception is thrown:

2017-03-03 14:07:08 ERROR UnrestrictedUploadServlet Exception occurs:
java.io.FileNotFoundException: C:\Users\ktamura\git\easybuggy\target\easybuggy-1-SNAPSHOT\uploadFiles\easybuggy.png (要求された操作はユーザーマップセクションで開いたファイルでは実行できません。)
at java.io.FileOutputStream.open0(Native Method)
at java.io.FileOutputStream.open(FileOutputStream.java:270)
at java.io.FileOutputStream.(FileOutputStream.java:213)
at java.io.FileOutputStream.(FileOutputStream.java:101)
at org.t246osslab.easybuggy.troubles.UnrestrictedUploadServlet.doPost(UnrestrictedUploadServlet.java:83)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:688)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:770)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1507)
at org.t246osslab.easybuggy.utils.EncodingFilter.doFilter(EncodingFilter.java:37)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1487)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:427)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.Server.handle(Server.java:370)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:984)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1045)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:861)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:231)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Thread.java:745)

Probabry the cause is:
http://www.eclipse.org/jetty/documentation/9.4.x/troubleshooting-locked-files-on-windows.html

SLF4J compatibility error

SLF4J compatibility error is recorded:

SLF4J: The requested version 1.6.99 by your slf4j binding is not compatible with [1.5.5, 1.5.6]
SLF4J: See http://www.slf4j.org/codes.html#version_mismatch for further details.

Suppress noisy ESAPI messages

ESAPI records the following messages at first access:

System property [org.owasp.esapi.opsteam] is not setAttempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.

System property [org.owasp.esapi.devteam] is not set
Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\ktamura\git\easybuggy\ESAPI.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties
Not found in 'user.home' (C:\Users\ktamura) directory: C:\Users\ktamura\esapi\ESAPI.properties
Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException
Attempting to load ESAPI.properties via the classpath.
SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
SecurityConfiguration for Validator.ConfigurationFile.MultiValued not found in ESAPI.properties. Using default: false
SecurityConfiguration for Validator.ConfigurationFile not found in ESAPI.properties. Using default: validation.properties
Attempting to load validation.properties via file I/O.
Attempting to load validation.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: C:\Users\ktamura\git\easybuggy\validation.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\validation.properties
Not found in 'user.home' (C:\Users\ktamura) directory: C:\Users\ktamura\esapi\validation.properties
Loading validation.properties via file I/O failed.
Attempting to load validation.properties via the classpath.
validation.properties could not be loaded by any means. fail. Exception was: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource.

Embedded Jetty does not shut down with CTRL+C (Windows + Oracle JRE8)

Workarond: Click the "JVM Crash" link on the main page or kill process by Windows task manager.
See also: https://groups.google.com/forum/#!topic/clojure/6-BvlgB7Nrw

JVMCrashByEAVServlet does not work on OpenJDK 7

JVMCrashByEAVServlet does not work on OpenJDK 7.

Build Issue with maven-antrun-plugin: "Plugin execution not covered by lifecycle configuration"

Eclipse shows the error:

Description Resource Path Location Type
Plugin execution not covered by lifecycle configuration: org.apache.maven.plugins:maven-antrun-plugin:1.3:run (execution: create-empty-directory, phase: process-classes) pom.xml /openbuggy line 98 Maven Project Build Lifecycle Mapping Problem

ERROR DefaultAttributeTypeRegistry attributeType w/ OID 2.5.4.16 not registered!

The error is recorded during LDAP search:

2017-02-16 23:40:18 ERROR DefaultAttributeTypeRegistry attributeType w/ OID 2.5.4.16 not registered!