This repository contains several Java web applications and command line applications covering different security topics. Have a look at the slides from various events covering most of the applications in this repository.
Some web applications contain exercises, some are only there to inspect. Instructions are provided in detail on the start page of each web application. Using Mozilla Firefox as browser is strongly recommended, as some applications might not work correctly in other browsers. Java 8 and Maven 3 must be installed in order for these projects to compile.
Some web applications are based on Spring Boot and can be started via the
main method in the Application class or via mvn spring-boot:run in the project directory. Projects
containing a Dockerfile can be launched via docker container run -p 8080:8080 -t dschadow/[PROJECT]
after the
image has been created using mvn clean package docker:build
or docker build -t dschadow/[PROJECT] .
. The other web
applications either contain an embedded Tomcat7 Maven plugin which can be started via mvn tomcat7:run-war or an
embedded Jetty Maven plugin which can be started via mvn jetty:run-war.
Access control demo project utilizing Spring Security in a Spring Boot application. Shows how to safely load user data from a database without using potentially faked frontend values. After launching, open the web application in your browser at http://localhost:8080.
Spring Boot based web application using a Content Security Policy (CSP) header. After launching, open the web application in your browser at http://localhost:8080.
Cross-Site Request Forgery (CSRF) demo project based on Spring Boot preventing CSRF in a web application by utilizing Spring Security. After launching, open the web application in your browser at http://localhost:8080.
Cross-Site Request Forgery (CSRF) demo project preventing CSRF in a JavaServer Pages (JSP) web application by utilizing
the Enterprise Security API (ESAPI).
After launching, open the web application in your browser at http://localhost:8080/csrf.
Direct object references (and indirect object references) demo project using Spring Boot and utilizing the Enterprise Security API (ESAPI). After launching, open the web application in your browser at http://localhost:8080.
Spring Boot based web application to experiment with OWASP ZAP as intercepting proxy. Target is to receive SUCCESS from the backend. After launching, open the web application in your browser at http://localhost:8080.
Security response header demo project which applies X-Content-Type-Options, Cache-Control, X-Frame-Options, HTTP Strict Transport Security (HSTS), X-XSS-Protection and Content Security Policy (CSP) (Level 1 and 2) headers to HTTP responses. After launching, open the web application in your browser at http://localhost:8080/security-header or https://localhost:8443/security-header.
Security logging demo project based on the OWASP Security Logging Project. After launching, open the web application in your browser at http://localhost:8080/security-logging.
Session handling demo project based on Spring Boot utilizing Spring Security and jasypt-spring-boot to secure Spring configuration (property) files. Shows how to restrict access to resources (URLs), how to apply method level security and how to securely store and verify passwords. Uses Spring Security for all security related functionality. Requires a system property (or environment variable or command line argument) named jasypt.encryptor.password with the value session-handling-spring-security present on startup. After launching, open the web application in your browser at http://localhost:8080.
Session handling demo project using plain Java. Uses plain Java to create and update the session id after logging in. Requires a web server with Servlet 3.1 support. After launching, open the web application in your browser at http://localhost:8080/session-handling.
Spring Boot based web application to experiment with normal (vulnerable) statements, statements with escaped input, and prepared statements. After launching, open the web application in your browser at http://localhost:8080.
Contains a Spring Boot demo application with GitHub login. Requires you to set up an application in your GitHub account
and to provide github.client.clientId
and github.client.clientSecret
as runtime parameters. After launching, open
the web application in your browser at http://localhost:8080.
Cross-Site Scripting (XSS) demo project preventing XSS in a JavaServer Pages (JSP) web application by utilizing input validation, output escaping with OWASP Java Encoder and the Content Security Policy (CSP). After launching, open the web application in your browser at http://localhost:8080/xss.
All projects contain main methods to start the demo.
Crypto demo project using Java to hash passwords with different hashing algorithms. All classes contain main methods to execute the samples.
Crypto demo project using plain Java to encrypt and decrypt data with asymmetric (RSA) and symmetric (AES) keys as well as to sign and verify data (DSA). All classes contain main methods to execute the samples.
Crypto demo project using Keyczar to encrypt and decrypt data with asymmetric (RSA) and symmetric (AES) keys as well as to sign and verify data (DSA). All classes contain main methods to execute the samples.
Crypto demo project using Apache Shiro to encrypt and decrypt data with symmetric (AES) keys as well as hash data (passwords). All classes contain main methods to execute the samples.