Repository files navigation

This repository contains the complete code samples from my bookJava-Web-Security - Sichere Webanwendungen mit Java entwickeln (dpunkt.verlag, ISBN 978-3-86490-146-1), available asPrint, asPDF/EPub and forKindle.

All Java projects are created asMaven projects and requireJava 8 andApache Maven 3 or newer. InEclipse you therefore need to install the Maven integration via the Eclipse update manager. After that, you can either use thegit m2e connector (m2e-egit) to import the new projects directly from the repository. Alternatively, you can clone the repository and useImport Maven Projects instead (no connector required here).IntelliJ IDEA supports this out of the box.

Mozilla Firefox is the recommended and up until today working browser for all vulnerable web applications in this repository. Keep in mind that browsers or some add-ons may block or filter certain attacks already. Deactivate all blocking or intercepting add-ons or try a different browser if a sample application is not working.

The easiest way to start a web application is to use theMaven-Tomcat7-Plug-in in each project:mvn tomcat7:run-war (or simplymvn in the console, since this is the default goal). Open your browser and point it tohttp://localhost:8080/PROJECT_NAME, e.g.http://localhost:8080/Ch04_OutputEscaping. The project name is always the final part of the URL.

See the following subsections for a short description and the requirements to execute the sample code and launch the web application.

Web application using JavaServer Pages (JSP) to show the difference between output escaping via Enterprise Security API (ESAPI) and no output escaping at all. Use an input like<script>alert('XSS')</script> to examine the difference.

Requirements: Apache Tomcat, Webbrowser

Web application using JavaServer Faces (JSF) to demonstrate the two different possibilities to show user input in a web page with#{contact.firstname} and<h:outputText value="#{contact.firstname}" />. Use an input like<script>alert('XSS')</script> to examine the difference.

Requirements: Apache Tomcat, Webbrowser

Spring based web application using JavaServer Pages (JSP) to demonstrate the two different possibilities to show user input in a web page with${contact.firstname} and<c:out value="${contact.firstname}" />. Use an input like<script>alert('XSS')</script> to examine the difference.

Requirements: Apache Tomcat, Webbrowser

Web application using JavaServer Faces (JSF) to show the difference between using unprotected and protected Maps (withIntegerAccessReferenceMaps andRandomAccessReferenceMaps) with user data.

Requirements: Apache Tomcat, Webbrowser

Web application using a Servlet filter to add theStrict-Transport-Security header to each response.

Requirements: Apache Tomcat, Webbrowser

Web application invalidating an existing session and its session id before continuing the login process. This web application requires the included specialcontext.xml configuration for Tomcat in order to display the current session id via JavaScript.

Requirements: Apache Tomcat, Webbrowser

Web application containing a completeweb.xml configuration showing how to protect cookies and other session data. Contains only a start page which fails trying to show the session cookie in a JavaScript popup.

Requirements: Apache Tomcat, Webbrowser

Web application using user input to query a in-memory-database. The entered data is used as part of a normalStatement, anescaped Statement, aPrepared Statement and as input for aHibernate Query Language.

Requirements: Apache Tomcat, Webbrowser

Web application using user input to query a simple XML document. The entered data (name and password) is used as part of a normalXPath expression without any escaping and escaped as part of anotherXPath expression. The unescaped version is prune to XPath Injection, which makes it possible to retrieve more data of the XML document as the intended order limit.

Requirements: Apache Tomcat, Webbrowser

Web application with three input processing servlets. One is unprotected and processes any input without input validation or output escaping and is prone to Cross-Site Scripting. The second servlet adds a minimalContent-Security-Policy header to the response and allows to use any source from the same page (URL). This already protects the response page from Cross-Site Scripting in supported browsers. The third form adds aContent-Security-Policy-Report-Only header and shows how easy the reported data can be processed.

Requirements: Apache Tomcat, Webbrowser

Web application to test the three XSS typesstored,reflected andDOM based. The input textfield is vulnerable to XSS and can be easily protected by enabling output escaping. Cookie could be protected by removing the specialcontext.xml and by setting the correspondingweb.xml parameter.

This web application requires the included specialcontext.xml configuration for Tomcat in order to display the current session id via JavaScript.

Requirements: Apache Tomcat, Webbrowser

Web application showing the differences between a blacklist and an ESAPI based request filtering. Use an input like<script>alert('XSS')</script> to see the different output on the output pages.

Requirements: Apache Tomcat, Webbrowser

JavaServer Faces (JSF) based web application accepting user input in two forms. The first form results into an output page showing the user input in drop down boxes and output text fields with all default attributes active. The second form results into an output page using the same output fields with any additional security related attribute set to the maximum. Use an input like<script>alert('XSS')</script> to challenge the JSF XSS protection.

Requirements: Apache Tomcat, Webbrowser

Web application showing Cross-Site Request Forgery (CSRF) with GET and POST requests and how to protect forms with an anti CSRF token. All requests on theUnprotected Requests page are successful and reach the backend as a normal request. TheProtected Requests page contains successful (with token) and unsuccessful (without token) requests; only the valid requests are processed in the backend.

Requirements: Apache Tomcat, Webbrowser