Repository files navigation

This repository contains several Java web applications and command line applications covering different security topics. Have a look at myslides andpublications covering most applications in this repository.

• Java 21
• Maven 3
• Mozilla Firefox (recommended, some demos might not be fully working in other browsers)
• Docker (required for running the sample applications as Docker containers)

Some web applications contain exercises, some are only there to inspect and learn. Instructions are provided in detail on the start page of each web application.

Some web applications are based onSpring Boot and can be started via themain method in theApplication class or viamvn spring-boot:run in the project directory. Spring Boot projects can be launched viadocker run -p 8080:8080 dschadow/[PROJECT] after the image has been created usingmvn spring-boot:build-image. The other web applications either contain an embeddedTomcat7 Maven plugin which can be started viamvn tomcat7:run-war, or an embeddedJetty Maven plugin which can be started viamvn jetty:run-war.

Access control demo project usingSpring Security in a Spring Boot application. Shows how to safely load user data from a database without using potentially faked frontend values. After launching, open the web application in your browser athttp://localhost:8080.

Spring Boot based web application using a Content Security Policy (CSP) header. After launching, open the web application in your browser athttp://localhost:8080.

Cross-Site Request Forgery (CSRF) demo project based on Spring Boot preventing CSRF in a web application by usingSpring Security. After launching, open the web application in your browser athttp://localhost:8080.

Cross-Site Request Forgery (CSRF) demo project preventing CSRF in a JavaServer Pages (JSP) web application by using theEnterprise Security API (ESAPI). After launching, open the web application in your browser athttp://localhost:8080/csrf.

Direct object references (and indirect object references) demo project using Spring Boot and using theEnterprise Security API (ESAPI). After launching, open the web application in your browser athttp://localhost:8080.

Spring Boot based web application to experiment withOWASP ZAP as an intercepting proxy. Target is to receiveSUCCESS from the backend. After launching, open the web application in your browser athttp://localhost:8080.

Security response header demo project which appliesX-Content-Type-Options,Cache-Control,X-Frame-Options,HTTP Strict Transport Security (HSTS),X-XSS-Protection andContent Security Policy (CSP) (Level 1 and 2) headers to HTTP responses. After launching, open the web application in your browser athttp://localhost:8080/security-header orhttps://localhost:8443/security-header.

Spring Boot based web application utilizing theOWASP Security Logging Project. Demonstrates how to log security relevant incidents in a log file. After launching, open the web application in your browser athttp://localhost:8080.

Session handling demo project based on Spring Boot utilizingSpring Security andjasypt-spring-boot to secureSpring configuration (property) files. Shows how to restrict access to resources (URLs), how to apply method level security and how to securely store and verify passwords. Uses Spring Security for all security-related functionality. Requires a system property (or environment variable or command line argument) namedjasypt.encryptor.password with the valuesession-handling-spring-security present on startup. After launching, open the web application in your browser athttp://localhost:8080.

Session handling demo project using plain Java. Uses plain Java to create and update the session id after logging in. Requires a web server with Servlet 3.1 support. After launching, open the web application in your browser athttp://localhost:8080/session-handling.

Spring Boot based web application to experiment with normal (vulnerable) statements, statements with escaped input, and prepared statements. After launching, open the web application in your browser athttp://localhost:8080.

Cross-Site Scripting (XSS) demo project preventing XSS in a JavaServer Pages (JSP) web application by using input validation, output escaping withOWASP Java Encoder and the Content Security Policy (CSP). After launching, open the web application in your browser athttp://localhost:8080/xss.

The following projects demonstrate crypto usage in Java with different libraries. Each project contains one or more JUnittest classes to test various functionalities of the demo project.

Crypto demo using Java to hash passwords with different hashing algorithms.

Crypto demo using plain Java to encrypt and decrypt data with asymmetric (RSA) and symmetric (AES) algorithms as well as to sign and verify data (DSA).

Crypto demo usingApache Shiro to encrypt and decrypt data with symmetric (AES) algorithms as well as hash data (passwords).

Crypto demo usingGoogle Tink to encrypt and decrypt data with asymmetric and hybrid encryption, MAC and digital signatures. Depending on the demo, keys are either generated on the fly or stored/loaded from the keysets' directory. TheAWS KMS samples (classes with AwsKms in their names) require a configured AWS KMS with an enabled master key.