|
2 | 2 |
|
3 | 3 | 本项目是记录自己在学习Java代码审计过程中遇到的优秀内容,包括Java代码审计技巧以及优秀的Java代码审计案例。一个不会Java代码审计的师傅不是一个好黑客,一个不会Java代码审计的黑客不是一个好师傅!深入理解Java代码审计,手握众多重点Java应用高危0day!作者:[0e0w](https://github.com/0e0w/HackJava) |
4 | 4 |
|
5 | | -本项目创建于2021年7月8日,最近的一次更新时间为2021年11月10日。本项目会持续更新,直到海枯石烂。 |
| 5 | +本项目创建于2021年7月8日,最近的一次更新时间为2021年11月12日。本项目会持续更新,直到海枯石烂。 |
6 | 6 |
|
7 | | --[0x01-Java代码审计资源](https://github.com/0e0w/HackJava#0x01-Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E8%B5%84%E6%BA%90) |
8 | | --[0x02-Java漏洞靶场平台](https://github.com/0e0w/HackJava#0x02-Java%E6%BC%8F%E6%B4%9E%E9%9D%B6%E5%9C%BA%E5%B9%B3%E5%8F%B0) |
9 | | --[0x03-Java代码审计工具](https://github.com/0e0w/HackJava#0x03-Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E5%B7%A5%E5%85%B7) |
10 | | --[0x04-Java代码审计案例](https://github.com/0e0w/HackJava#0x04-Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E6%A1%88%E4%BE%8B) |
11 | | --[0x05-Java安全Web漏洞](https://github.com/0e0w/Hackjava#0x04-Java%E5%B8%B8%E8%A7%84Web%E6%BC%8F%E6%B4%9E) |
12 | | --[0x06-Java安全编码规范](https://github.com/0e0w/Hackjava#0x06-Java%E5%AE%89%E5%85%A8%E7%BC%96%E7%A0%81%E8%A7%84%E8%8C%83) |
13 | | --[0x07-Java代码审计培训](https://github.com/0e0w/Hackjava#0x07-Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E5%9F%B9%E8%AE%AD) |
14 | | --[0x08-Java代码审计老师](https://github.com/0e0w/Hackjava#0x08-Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E8%80%81%E5%B8%88) |
| 7 | +-[01-Java代码审计资源]() |
| 8 | +-[02-Java代码审计工具]() |
| 9 | +-[03-Java漏洞靶场平台]() |
| 10 | +-[04-Java安全Web漏洞]() |
| 11 | +-[05-Java代码审计实战]() |
| 12 | +-[06-Java安全编码规范]() |
| 13 | +-[08-Java代码审计老师]() |
15 | 14 |
|
16 | | -##0x01-Java代码审计资源 |
| 15 | +##01-Java代码审计资源 |
17 | 16 |
|
18 | | -一、书籍资源 |
| 17 | +一、书籍教程 |
19 | 18 | -[ ][《Java代码审计 入门篇》](https://item.jd.com/10033832360716.html)@陈俊杰等 |
20 | 19 | -[ ][《Java代码审计实战》](https://item.jd.com/13466996.html)@高昌盛等 |
21 | 20 |
|
22 | | -二、视频教程 |
23 | | --[ ][《MS08067安全实验室》](https://space.bilibili.com/396298765?spm_id_from=333.788.b_765f7570696e666f.2) |
| 21 | +-[ ][《Java Web安全-代码审计》]()@凌天实验室 |
| 22 | +-[ ][《Java安全漫谈笔记相关》](https://github.com/phith0n/JavaThings)@phith0n |
| 23 | + |
| 24 | +二、审计案例 |
24 | 25 |
|
25 | | -三、其他资源 |
| 26 | +-[ ]https://github.com/proudwind/javasec_study |
| 27 | +-[ ]https://github.com/threedr3am/learnjavabug |
| 28 | +-[ ]https://github.com/SummerSec/JavaLearnVulnerability |
| 29 | +-[ ]https://github.com/cn-panda/JavaCodeAudit |
| 30 | +-[ ]https://github.com/Maskhe/javasec |
| 31 | +-[ ]https://github.com/anbai-inc/javaweb-sec |
| 32 | +-[ ]https://github.com/feihong-cs/Java-Rce-Echo |
| 33 | +-[ ]https://github.com/Y4er/WebLogic-Shiro-shell |
| 34 | +-[ ]https://github.com/feihong-cs/Java-Rce-Echo |
| 35 | +-[ ]https://github.com/feihong-cs/JNDIExploit |
| 36 | +-[ ]https://github.com/welk1n/JNDI-Injection-Exploit |
| 37 | +-[ ]https://github.com/March110/javaweb-sec |
| 38 | +-[ ]https://github.com/wh1t3p1g/ysomap |
| 39 | +-[ ]https://github.com/returntocorp/semgrep |
| 40 | +-[ ]https://github.com/MobSF/mobsfscan |
| 41 | +-[ ]https://github.com/huyuanzhi2/CodeReview |
| 42 | +-[ ]https://github.com/su18/JDBC-Attack |
| 43 | +-[ ]https://github.com/7hang/--Java |
| 44 | +-[ ]https://github.com/5huai/POC-Test |
| 45 | +-[ ]https://github.com/iiiusky/javaweb-codereview |
26 | 46 | -[ ]https://github.com/Firebasky/Java |
| 47 | + |
| 48 | +三、视频教程 |
| 49 | + |
| 50 | +-[ ][《MS08067安全实验室》](https://space.bilibili.com/396298765?spm_id_from=333.788.b_765f7570696e666f.2) |
| 51 | + |
| 52 | +四、培训演讲 |
| 53 | + |
| 54 | +五、审计报告 |
| 55 | + |
| 56 | +五、其他资源 |
| 57 | + |
27 | 58 | -[ ][《攻击Java Web应用》](https://appts4jvi.zhishibox.net/b/5d644b6f81cbc9e40460fe7eea3c7925) |
28 | 59 | -[ ][《静态程序分析入门教程》](https://github.com/RangerNJU/Static-Program-Analysis-Book) |
29 | 60 |
|
30 | | -##0x02-Java漏洞靶场平台 |
| 61 | +##02-Java代码审计工具 |
| 62 | + |
| 63 | +工欲善其事必先利其器,此处收集整理Java代码审计的一些优秀工具!期待自己的代码审计工具能够早日发布! |
| 64 | + |
| 65 | +一、Frotify |
| 66 | +-[ ]https://github.com/wooyunwang/Fortify |
| 67 | +-[ ]https://github.com/5wimming/gadgetinspector |
| 68 | + |
| 69 | +二、IDEA |
| 70 | +-[ ]https://github.com/XianYanTechnology/RocB |
| 71 | + |
| 72 | +三、其他 |
| 73 | +-[ ]https://github.com/MobSF/mobsfscan |
| 74 | +-[ ]https://github.com/threedr3am/log-agent |
| 75 | +-[ ]https://github.com/wh1t3p1g/tabby |
| 76 | +-[ ]https://github.com/KpLi0rn/ysoserial |
| 77 | +-[ ]https://github.com/EmYiQing/XVulnFinder |
| 78 | +-[ ]https://github.com/EmYiQing/CodeInspector |
| 79 | +-[ ]https://github.com/mtxiaowangzi/CAFJE |
| 80 | +-[ ]https://github.com/FeeiCN/Cobra |
| 81 | + |
| 82 | +##03-Java漏洞靶场平台 |
31 | 83 |
|
32 | 84 | -[ ]https://github.com/Mysticbinary/WebBug |
33 | 85 | -[ ]https://github.com/dschadow/JavaSecurity |
|
48 | 100 | -[ ]https://github.com/CSPF-Founder/JavaVulnerableLab |
49 | 101 | -[ ]https://github.com/t0thkr1s/allsafe |
50 | 102 | -[ ]https://github.com/bit4woo/Java_deserialize_vuln_lab |
51 | | - |
52 | | -##0x03-Java代码审计工具 |
53 | | - |
54 | | -一、Frotify |
55 | | --[ ]https://github.com/wooyunwang/Fortify |
56 | | --[ ]https://github.com/5wimming/gadgetinspector |
57 | | - |
58 | | -二、IDEA |
59 | | --[ ]https://github.com/XianYanTechnology/RocB |
60 | | - |
61 | | -三、其他 |
62 | | --[ ]https://github.com/MobSF/mobsfscan |
63 | | --[ ]https://github.com/threedr3am/log-agent |
64 | | --[ ]https://github.com/wh1t3p1g/tabby |
65 | | --[ ]https://github.com/KpLi0rn/ysoserial |
66 | | --[ ]https://github.com/EmYiQing/XVulnFinder |
67 | | --[ ]https://github.com/EmYiQing/CodeInspector |
68 | | - |
69 | | -##0x04-Java代码审计案例 |
70 | | - |
| 103 | +-[ ]https://github.com/mtxiaowangzi/Java-EE-VulnWeb |
71 | 104 | -[ ]https://github.com/j3ers3/Hello-Java-Sec |
72 | | --[ ]https://github.com/proudwind/javasec_study |
73 | | --[ ]https://github.com/threedr3am/learnjavabug |
74 | | --[ ]https://github.com/SummerSec/JavaLearnVulnerability |
75 | | --[ ]https://github.com/cn-panda/JavaCodeAudit |
76 | | --[ ]https://github.com/Maskhe/javasec |
77 | | --[ ]https://github.com/phith0n/JavaThings |
78 | | --[ ]https://github.com/anbai-inc/javaweb-sec |
79 | | --[ ]https://github.com/feihong-cs/Java-Rce-Echo |
80 | | --[ ]https://github.com/Y4er/WebLogic-Shiro-shell |
81 | | --[ ]https://github.com/feihong-cs/Java-Rce-Echo |
82 | | --[ ]https://github.com/feihong-cs/JNDIExploit |
83 | | --[ ]https://github.com/welk1n/JNDI-Injection-Exploit |
84 | | --[ ]https://github.com/March110/javaweb-sec |
85 | | --[ ]https://github.com/wh1t3p1g/ysomap |
86 | | --[ ]https://github.com/returntocorp/semgrep |
87 | | --[ ]https://github.com/mtxiaowangzi/CAFJE |
88 | | --[ ]https://github.com/MobSF/mobsfscan |
89 | | --[ ]https://github.com/huyuanzhi2/CodeReview |
90 | | --[ ]https://github.com/su18/JDBC-Attack |
91 | 105 |
|
92 | | -##0x05-Java安全Web漏洞 |
| 106 | +##04-Java安全Web漏洞 |
93 | 107 |
|
94 | 108 | 本部分详细列举常见的Java安全漏洞内容。 |
95 | 109 |
|
|
114 | 128 | - CSRF跨站请求伪造 |
115 | 129 | - SSRF服务端请求伪造 |
116 | 130 |
|
117 | | -##0x06-Java安全编码规范 |
| 131 | +##05-Java代码审计实战 |
118 | 132 |
|
119 | | --[ ] 腾讯集团-Java安全编码规范 |
120 | | --[ ] 奇安信集团-Java安全编码规范 |
121 | | --[ ][陌陌集团-Java安全编码规范](https://github.com/momosecurity/rhizobia_J) |
| 133 | +##06-Java安全编码规范 |
122 | 134 |
|
123 | | -##0x07-Java代码审计培训 |
| 135 | +- 腾讯-Java安全编码规范 |
| 136 | +- 奇安信-Java安全编码规范 |
| 137 | +-[陌陌-Java安全编码规范](https://github.com/momosecurity/rhizobia_J) |
| 138 | +- 华为-Java安全编码规范 |
| 139 | +- 软通动力-Java-Web安全开发规范 |
124 | 140 |
|
125 | | -##0x08-Java代码审计老师 |
| 141 | +##07-Java代码审计老师 |
126 | 142 |
|
127 | 143 | 本人在学习Java代码审计的过程中遇到了很多优秀的Java代码审计工程师,感谢这些研究者! |
128 | 144 |
|
|