├── src └── main │ ├── webapp │ ├── docs │ │ ├── doc1.pdf │ │ └── exampledoc.pdf │ ├── images │ │ ├── bg.png │ │ └── Thumbs.db │ ├── META-INF │ │ └── context.xml │ ├── vulnerability │ │ ├── xss │ │ │ ├── flash │ │ │ │ ├── xss1.swf │ │ │ │ ├── xss2.swf │ │ │ │ └── exss.jsp │ │ │ ├── xss4.jsp │ │ │ └── search.jsp │ │ ├── baasm │ │ │ ├── URLRewriting.jsp │ │ │ └── SiteTitle.jsp │ │ ├── sqli │ │ │ ├── download.jsp │ │ │ ├── union2.jsp │ │ │ ├── download_id_union.jsp │ │ │ └── download_id.jsp │ │ ├── mfac │ │ │ └── SearchEngines.jsp │ │ ├── unvalidated │ │ │ ├── OpenForward.jsp │ │ │ └── OpenURL.jsp │ │ ├── sde │ │ │ └── hash.jsp │ │ ├── Injection │ │ │ ├── xpath_login.jsp │ │ │ ├── xslt.jsp │ │ │ ├── Users.hbm.xml │ │ │ ├── courses.xml │ │ │ ├── xxe.jsp │ │ │ ├── 2.xsl │ │ │ ├── 1.xsl │ │ │ └── orm.jsp │ │ ├── forumUsersList.jsp │ │ ├── forumposts.jsp │ │ ├── SendMessage.jsp │ │ ├── UserDetails.jsp │ │ ├── Messages.jsp │ │ ├── securitymisconfig │ │ │ └── pages.jsp │ │ ├── csrf │ │ │ ├── change-info.jsp │ │ │ └── changepassword.jsp │ │ ├── idor │ │ │ ├── change-email.jsp │ │ │ └── download.jsp │ │ ├── DisplayMessage.jsp │ │ └── forum.jsp │ ├── footer.jsp │ ├── robots.txt │ ├── WEB-INF │ │ ├── AdminPanel.jsp │ │ ├── config.properties │ │ ├── users.xml │ │ └── web.xml │ ├── admin │ │ ├── admin.jsp │ │ ├── index.jsp │ │ ├── AddPage.jsp │ │ ├── Configure.jsp │ │ ├── manageusers.jsp │ │ └── adminlogin.jsp │ ├── index.jsp │ ├── login.jsp │ ├── install.jsp │ ├── Register.jsp │ ├── ForgotPassword.jsp │ ├── changeCardDetails.jsp │ ├── myprofile.jsp │ ├── style.css │ └── header.jsp │ ├── resources │ └── Users.hbm.xml │ └── java │ └── org │ └── cysecurity │ └── cspf │ └── jvl │ ├── model │ ├── HashMe.java │ ├── orm │ │ └── Users.java │ └── DBConnect.java │ └── controller │ ├── Logout.java │ ├── Open.java │ ├── ForwardMe.java │ ├── xxe.java │ ├── EmailCheck.java │ ├── UsernameCheck.java │ ├── AddPage.java │ ├── XPathQuery.java │ ├── SendMessage.java │ ├── Register.java │ ├── LoginValidator.java │ └── Install.java ├── default-tomcat.xml ├── docker-compose.yml ├── Dockerfile ├── pom.xml ├── README.md └── LICENSE /src/main/webapp/docs/doc1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CSPF-Founder/JavaVulnerableLab/HEAD/src/main/webapp/docs/doc1.pdf -------------------------------------------------------------------------------- /src/main/webapp/images/bg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CSPF-Founder/JavaVulnerableLab/HEAD/src/main/webapp/images/bg.png -------------------------------------------------------------------------------- /src/main/webapp/images/Thumbs.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CSPF-Founder/JavaVulnerableLab/HEAD/src/main/webapp/images/Thumbs.db -------------------------------------------------------------------------------- /src/main/webapp/docs/exampledoc.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CSPF-Founder/JavaVulnerableLab/HEAD/src/main/webapp/docs/exampledoc.pdf -------------------------------------------------------------------------------- /src/main/webapp/META-INF/context.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/xss/flash/xss1.swf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CSPF-Founder/JavaVulnerableLab/HEAD/src/main/webapp/vulnerability/xss/flash/xss1.swf -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/xss/flash/xss2.swf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CSPF-Founder/JavaVulnerableLab/HEAD/src/main/webapp/vulnerability/xss/flash/xss2.swf -------------------------------------------------------------------------------- /default-tomcat.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /src/main/webapp/footer.jsp: -------------------------------------------------------------------------------- 1 | 2 | 3 |
4 | 5 | 6 |

Copyrights © Cyber Security & Privacy Foundation

7 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /src/main/webapp/robots.txt: -------------------------------------------------------------------------------- 1 | User-agent: * 2 | Disallow: /admin/admin.jsp 3 | Disallow: /admin/manageusers.jsp 4 | Disallow: /admin/AddPage.jsp 5 | Disallow: /admin/AddPage.do 6 | Disallow: /admin/Configure.jsp 7 | Disallow: /header.jsp 8 | Disallow: /myprofile.jsp 9 | Disallow: /footer.jsp -------------------------------------------------------------------------------- /src/main/webapp/WEB-INF/AdminPanel.jsp: -------------------------------------------------------------------------------- 1 | <%@ include file="/header.jsp" %> 2 | 3 | This is Admin Panel located in WEB-INF. You can't directly visit this page ;)

4 | 7 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/baasm/URLRewriting.jsp: -------------------------------------------------------------------------------- 1 | <%@ include file="/header.jsp" %> 2 | 3 | <% 4 | out.print("Your Session ID:"+session.getId()); 5 | %> 6 |
7 |
8 | X Never Expose Session IDs in URL. X
9 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/sqli/download.jsp: -------------------------------------------------------------------------------- 1 | <%@ include file="/header.jsp" %> 2 |

Download Files:


3 | 7 | 8 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/admin/admin.jsp: -------------------------------------------------------------------------------- 1 | <%@ include file="/header.jsp" %> 2 | 3 | Welcome to the Admin Panel

4 | 9 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/admin/index.jsp: -------------------------------------------------------------------------------- 1 | <%@ include file="/header.jsp" %> 2 | <% 3 | if(session.getAttribute("privilege")!=null && session.getAttribute("privilege").equals("admin")) 4 | { 5 | response.sendRedirect("admin.jsp"); 6 | } 7 | else 8 | { 9 | response.sendRedirect("adminlogin.jsp"); 10 | } 11 | %> 12 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/mfac/SearchEngines.jsp: -------------------------------------------------------------------------------- 1 | <%@ include file="/header.jsp" %> 2 | 3 | There is a file that instructs Search Engines which part of the application should be crawled. The file also prevents Search Engines from accessing & Indexing certain parts of the application. Try, If you are able to access it ;) 4 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/sqli/union2.jsp: -------------------------------------------------------------------------------- 1 | <%@ include file="/header.jsp" %> 2 | 3 |

Exploit this page with Union Exploitation technique:


4 | 8 | 9 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/WEB-INF/config.properties: -------------------------------------------------------------------------------- 1 | # To change this license header, choose License Headers in Project Properties. 2 | # To change this template file, choose Tools | Templates 3 | # and open the template in the editor. 4 | 5 | dbuser=root 6 | dbpass=root 7 | dbname=abc 8 | dburl=jdbc:mysql://mysql:3306/ 9 | jdbcdriver=com.mysql.jdbc.Driver 10 | siteTitle=Java Vulnerable Lab 11 | -------------------------------------------------------------------------------- /src/main/webapp/index.jsp: -------------------------------------------------------------------------------- 1 | <%@ include file="header.jsp" %> 2 | <% 3 | if(session.getAttribute("user")!=null) 4 | { 5 | out.print("Hello "+session.getAttribute("user")+","); 6 | } 7 | %> 8 | Welcome to Java Vulnerable Lab !

9 | A Deliberately vulnerable Web Application built on JAVA designed to teach Web Application Security. 10 | <%@ include file="footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/unvalidated/OpenForward.jsp: -------------------------------------------------------------------------------- 1 | <%@ include file="/header.jsp" %> 2 | 7 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/sde/hash.jsp: -------------------------------------------------------------------------------- 1 | <%@ include file="/header.jsp" %> 2 | The admin Login credentials for this application has been protected with Hashing. Try, If you are able to crack it. 3 |

Btw, You need another vulnerability to gain access to the hashed credentials 4 |

(The admin is a Blood pressure patient, so he doesn't add salt in his food') 5 | 6 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | 2 | services: 3 | jvl: 4 | image: cspf/jvl 5 | build: 6 | dockerfile: ./Dockerfile 7 | context: ./ 8 | ports: 9 | - 8080:8080 10 | links: 11 | - mysql 12 | 13 | mysql: 14 | image: mysql:5.7 15 | environment: 16 | MYSQL_ROOT_PASSWORD: root 17 | MYSQL_ROOT_HOST: "%" 18 | MYSQL_DATABASE: abc 19 | command: 20 | - "--default-authentication-plugin=mysql_native_password" 21 | -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/unvalidated/OpenURL.jsp: -------------------------------------------------------------------------------- 1 | <%@ include file="/header.jsp" %> 2 | Cyber Security & Privacy Foundation has always been committed in providing the public with knowledge on how to defend themselves from malicious elements on the internet. Hence, we have started a new Certification Program that checks the security and quality of websites and security products. 3 |

Click Here to know more >> 4 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/Injection/xpath_login.jsp: -------------------------------------------------------------------------------- 1 | 2 | <%@ include file="/header.jsp" %> 3 | 4 |
5 | 6 | 7 | 8 | 9 | 10 | 11 |
UserName:
Password :
<% if(request.getParameter("err")!=null){out.print(request.getParameter("err"));} %>
12 |
13 |
14 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/Injection/xslt.jsp: -------------------------------------------------------------------------------- 1 | 2 | <%@ include file="/header.jsp" %> 3 | <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %> 4 | <%@ taglib prefix="x" uri="http://java.sun.com/jsp/jstl/xml" %> 5 |
6 | Select Style: 10 | 11 |

12 | 13 | 14 | 15 | 16 | 17 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | # Stage 1: Build Stage 2 | FROM openjdk:8 as build 3 | 4 | WORKDIR /app 5 | 6 | # Copy the source code into the Docker image 7 | COPY . . 8 | 9 | # Install Maven and JDK, then build the project 10 | RUN apt-get update && \ 11 | apt-get install -y maven && \ 12 | mvn clean package 13 | 14 | # Stage 2: Runtime Stage 15 | FROM tomcat:7.0.82 16 | 17 | # Copy the WAR file built in the previous stage 18 | COPY --from=build /app/target/*.war /usr/local/tomcat/webapps/ 19 | 20 | # Copy the pre-prepared tomcat-users.xml to set up user roles 21 | COPY default-tomcat.xml /usr/local/tomcat/conf/tomcat-users.xml 22 | 23 | # CMD to start Tomcat 24 | CMD ["catalina.sh", "run"] 25 | -------------------------------------------------------------------------------- /src/main/webapp/admin/AddPage.jsp: -------------------------------------------------------------------------------- 1 | <%@ include file="/header.jsp" %> 2 | <% 3 | if(session.getAttribute("privilege")!=null && session.getAttribute("privilege").equals("admin")) 4 | { 5 | %> 6 | 7 |
8 | 9 | 10 | 11 | 12 |
File Name:
Content :
13 |
14 | <% 15 | } 16 | else 17 | { 18 | out.print(" x You Are not Authorized to view this Page x "); 19 | } 20 | %> 21 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/resources/Users.hbm.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/Injection/Users.hbm.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/xss/xss4.jsp: -------------------------------------------------------------------------------- 1 | <%@ include file="/header.jsp" %> 2 | <% String keyword = request.getParameter("keyword"); %> 3 |

[incomplete]

4 | Please enter only words and search:

5 |
6 | > 7 |

8 |
9 |
10 | <% 11 | 12 | if (keyword != null) 13 | { 14 | %> 15 | Search Results for <%=keyword%> 16 | <% 17 | } 18 | %> 19 |
20 |
21 |
22 |
23 | 24 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/xss/flash/exss.jsp: -------------------------------------------------------------------------------- 1 | <%@ include file="/header.jsp" %> 2 | 3 |
4 | 5 | 6 | 7 | 8 | 9 |
10 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/Injection/courses.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Hacking and Securing Java based Web Applications 5 | https://www.udemy.com/hacking-securing-java-web-programming/ 6 | 7 | 8 | Hacking and Securing PHP Applications 9 | https://www.udemy.com/hacking-securing-php/ 10 | 11 | 12 | Certified White Hat Hacker 13 | https://www.udemy.com/certified-whitehat-hacker-level-1/ 14 | 15 | 16 | Certified APT Defender 17 | https://www.udemy.com/certified-apt-defender/ 18 | 19 | -------------------------------------------------------------------------------- /src/main/java/org/cysecurity/cspf/jvl/model/HashMe.java: -------------------------------------------------------------------------------- 1 | package org.cysecurity.cspf.jvl.model; 2 | 3 | import java.security.MessageDigest; 4 | import java.security.NoSuchAlgorithmException; 5 | 6 | /** 7 | * 8 | * @author breakthesec 9 | */ 10 | public class HashMe { 11 | public static String hashMe(String str) 12 | { 13 | StringBuffer sb=null; 14 | try 15 | { 16 | MessageDigest md = MessageDigest.getInstance("MD5"); 17 | md.update(str.getBytes()); 18 | byte byteData[] = md.digest(); 19 | sb= new StringBuffer(); 20 | for (int i = 0; i < byteData.length; i++) 21 | { 22 | sb.append(Integer.toString((byteData[i] & 0xff) + 0x100, 16).substring(1)); 23 | } 24 | } 25 | catch(NoSuchAlgorithmException e) 26 | { 27 | 28 | } 29 | return sb.toString(); 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /src/main/java/org/cysecurity/cspf/jvl/model/orm/Users.java: -------------------------------------------------------------------------------- 1 | /* 2 | * To change this license header, choose License Headers in Project Properties. 3 | * To change this template file, choose Tools | Templates 4 | * and open the template in the editor. 5 | */ 6 | 7 | package org.cysecurity.cspf.jvl.model.orm; 8 | 9 | /** 10 | * 11 | * @author breakthesec 12 | */ 13 | public class Users { 14 | Long id; 15 | String username; 16 | String about; 17 | 18 | public Long getId() { 19 | return id; 20 | } 21 | private void setId(Long id) { 22 | this.id = id; 23 | } 24 | public String getUsername() { 25 | return username; 26 | } 27 | public void setUsername(String username) { 28 | this.username = username; 29 | } 30 | public String getAbout() { 31 | return about; 32 | } 33 | public void setAbout(String about) { 34 | this.about = about; 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/xss/search.jsp: -------------------------------------------------------------------------------- 1 | <%-- 2 | Document : search 3 | Created on : 1 Dec, 2014, 2:15:38 PM 4 | Author : breakthesec 5 | --%> 6 | <%@ include file="/header.jsp" %> 7 |
8 | 11 |
12 | 13 |
14 |
15 | <% 16 | String searchedName = request.getParameter("keyword"); 17 | if (searchedName != null) 18 | { 19 | //code for searching pages related to the given keyword goes here.. 20 | %> 21 | Search Results for <%=searchedName%> 22 |
... 23 |
... 24 | <% 25 | //Show result pages 26 | 27 | } 28 | %> 29 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/Injection/xxe.jsp: -------------------------------------------------------------------------------- 1 | 2 | <%@ include file="/header.jsp" %> 3 | 23 | 24 |
25 |
26 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/admin/Configure.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.io.FileOutputStream"%> 2 | <%@ include file="/header.jsp" %> 3 | <% 4 | if(session.getAttribute("isLoggedIn")!=null) 5 | { 6 | 7 | %> 8 |
9 | 10 | 11 | 12 |
Website Title:
13 |
14 | 15 | <% 16 | if(request.getParameter("save")!=null) 17 | { 18 | Properties props=new Properties(); 19 | 20 | props.load(new FileInputStream(configPath)); 21 | props.setProperty("siteTitle",request.getParameter("siteTitle")); 22 | FileOutputStream fileout = new FileOutputStream(configPath); 23 | props.store(fileout, null); 24 | fileout.close(); 25 | out.print(" Configuration saved "); 26 | } 27 | } 28 | else 29 | { 30 | out.print(" x You Are not Authorized to view this Page x "); 31 | } 32 | %> 33 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/forumUsersList.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.sql.ResultSet"%> 2 | <%@page import="java.sql.Statement"%> 3 | <%@page import="java.sql.Connection"%> 4 | <%@ include file="/header.jsp" %> 5 | <%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%> 6 | <% 7 | Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); 8 | String username=request.getParameter("username"); 9 | 10 | Statement stmt = con.createStatement(); 11 | ResultSet rs =null; 12 | rs=stmt.executeQuery("select * from users"); 13 | out.print("Users: "); 14 | out.print("
    "); 15 | while( rs.next()) 16 | { 17 | out.print("
  1. "); 18 | out.print(""+rs.getString("username")+""); 19 | out.print("
    2. "); 20 | } 21 | out.print("
    Return to Forum >>"); 26 | %> 27 | 28 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/login.jsp: -------------------------------------------------------------------------------- 1 | 2 | <%@ include file="header.jsp" %> 3 | 4 | <% 5 | String username=""; 6 | String password=""; 7 | Cookie[] cookies = request.getCookies(); 8 | if (cookies != null) 9 | for (Cookie c : cookies) { 10 | if ("username".equals(c.getName())) { 11 | username= c.getValue(); 12 | } 13 | else if("password".equals(c.getName())) 14 | { 15 | password= c.getValue(); 16 | } 17 | } 18 | 19 | %> 20 |
    21 | 22 | 23 | 24 | 25 | 26 | 27 |
    UserName:
    Password :
    Remember me:
    <% if(request.getParameter("err")!=null){out.print(request.getParameter("err"));} %>
    28 |
    29 |
    30 | Forgot Password? 31 | <%@ include file="footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/WEB-INF/users.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | 10 | 11 | NEO 12 | neo 13 | trinity 14 | neo@matrix 15 | I am the NEO 16 | 17 | 18 | Trinity 19 | trinity 20 | neo 21 | trinity@matrix 22 | it is Trinity 23 | 24 | 25 | Oracle 26 | oracle 27 | java 28 | 29 | 30 | Anderson 31 | anderson 32 | java 33 | anderson@1999 34 | Computer Programmer 35 | 36 | 37 | -------------------------------------------------------------------------------- /src/main/webapp/admin/manageusers.jsp: -------------------------------------------------------------------------------- 1 | <%@ include file="/header.jsp" %> 2 | <%@page import="java.sql.Statement"%> 3 | <%@page import="java.sql.ResultSet"%> 4 | <%@page import="java.sql.SQLException"%> 5 | <%@page import="org.cysecurity.cspf.jvl.model.DBConnect"%> 6 | <%@page import="java.sql.Connection"%> 7 | 8 | <% 9 | Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); 10 | Statement stmt = con.createStatement(); 11 | if(request.getParameter("delete")!=null) 12 | { 13 | String user=request.getParameter("user"); 14 | stmt.executeUpdate("Delete from users where username='"+user+"'"); 15 | } 16 | %> 17 |
    18 | <% 19 | ResultSet rs=stmt.executeQuery("select * from users where privilege='user'"); 20 | while(rs.next()) 21 | { 22 | out.print(" "+rs.getString("username")+"
    "); 23 | } 24 | %> 25 |
    26 | 27 | 28 |
    29 |
    30 | Back to Admin Panel 31 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/forumposts.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.sql.ResultSet"%> 2 | <%@page import="java.sql.Statement"%> 3 | <%@page import="java.sql.Connection"%> 4 | <%@ include file="/header.jsp" %> 5 | <%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%> 6 | <% 7 | Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); 8 | 9 | String postid=request.getParameter("postid"); 10 | if(postid!=null) 11 | { 12 | Statement stmt = con.createStatement(); 13 | ResultSet rs =null; 14 | rs=stmt.executeQuery("select * from posts where postid="+postid); 15 | if(rs != null && rs.next()) 16 | { 17 | out.print("Title:"+rs.getString("title")+""); 18 | out.print("
    - Posted By "+rs.getString("user")); 19 | out.print("

    Content:
    "+rs.getString("content")); 20 | } 21 | } 22 | else 23 | { 24 | out.print("ID Parameter is Missing"); 25 | } 26 | 27 | out.print("

    Return to Forum >>"); 28 | %> 29 | 30 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/SendMessage.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.sql.ResultSet"%> 2 | <%@page import="java.sql.Statement"%> 3 | <%@page import="java.sql.Connection"%> 4 | <%@ include file="/header.jsp" %> 5 | <%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%> 6 | <% 7 | if(session.getAttribute("isLoggedIn")!=null) 8 | { 9 | if(request.getParameter("status")!=null) 10 | { 11 | out.print(request.getParameter("status")); //Displaying any error message 12 | } 13 | 14 | %> 15 |

    16 |
    17 | 18 | 19 | 20 | 21 | 22 | 23 |
    Recipient: "/>
    Subject :
    Message :
    "/>
    24 |
    25 | <% 26 | 27 | } 28 | else 29 | { 30 | out.print("* Please login to send message"); 31 | } 32 | %> 33 | 34 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/Injection/2.xsl: -------------------------------------------------------------------------------- 1 | 2 | 3 | 10 | 11 | 12 | 13 | 14 | 17 | 18 |

    List of Courses:

    19 | 20 |
      21 | 22 |
    • 23 | 24 | 25 | 26 | 27 | 28 | 29 |
      • 30 | 31 |       32 |
    33 |     34 | 35 |     36 | -------------------------------------------------------------------------------- /src/main/webapp/install.jsp: -------------------------------------------------------------------------------- 1 | 2 | 3 | <%@ include file="/header.jsp" %> 4 | 5 | 6 |
    7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 |
    Website Title:
    Database Name:
    Database User:
    Database Password:
    JDBC Driver:
    JDBC URL:
    Admin Login Credential:
    Username(Default):
    Password(Default):
    22 |
    23 |
    24 | Note:If a database already exits, it will be dropped 25 | 26 | 27 | 28 | <%@ include file="/footer.jsp" %> 29 | -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/UserDetails.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.sql.ResultSet"%> 2 | <%@page import="java.sql.Statement"%> 3 | <%@page import="java.sql.Connection"%> 4 | <%@ include file="/header.jsp" %> 5 | <%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%> 6 | <% 7 | Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); 8 | String username=request.getParameter("username"); 9 | if(username!=null && !username.equals("")) 10 | { 11 | Statement stmt = con.createStatement(); 12 | ResultSet rs =null; 13 | rs=stmt.executeQuery("select * from users where username='"+username+"'"); 14 | if(rs != null && rs.next()) 15 | { 16 | out.print("
    About "+rs.getString("username")+":
    "+rs.getString("about")); 17 | 18 | } 19 | 20 | if(session.getAttribute("isLoggedIn")!=null && !session.getAttribute("user").equals(username)) 21 | { 22 | out.print("

    "); 23 | out.print("Send Message to "+username+""); 24 | } 25 | } 26 | else 27 | { 28 | out.print("Username Parameter is Missing"); 29 | } 30 | 31 | out.print("

    Return to Forum >>"); 32 | %> 33 | 34 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/Messages.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.sql.ResultSet"%> 2 | <%@page import="java.sql.Statement"%> 3 | <%@page import="java.sql.Connection"%> 4 | <%@ include file="/header.jsp" %> 5 | <%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%> 6 | <% 7 | if(session.getAttribute("isLoggedIn")!=null) 8 | { 9 | Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); 10 | if(con!=null && !con.isClosed()) 11 | { 12 | Statement stmt = con.createStatement(); 13 | ResultSet rs =null; 14 | rs=stmt.executeQuery("select * from UserMessages where recipient='"+session.getAttribute("user")+"'"); 15 | out.print("

    Message:
    "); 16 | out.println("
      "); 17 | while (rs.next()) 18 | { 19 | out.print("
    1. "+rs.getString("subject")+"
      2. "); 20 | 21 | } 22 | out.println("
    "); 23 | } 24 | out.print("

    Return to Profile Page >>"); 25 | 26 | } 27 | else 28 | { 29 | out.print("* Please login to send message"); 30 | } 31 | %> 32 | 33 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/baasm/SiteTitle.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.io.FileOutputStream"%> 2 | <%@ include file="/header.jsp" %> 3 | <% 4 | 5 | String privilege=""; 6 | 7 | Cookie[] cookies = request.getCookies(); 8 | if (cookies != null) 9 | for (Cookie c : cookies) { 10 | if ("privilege".equals(c.getName())) { 11 | privilege= c.getValue(); 12 | } 13 | } 14 | 15 | if(!privilege.equalsIgnoreCase("") && privilege.equalsIgnoreCase("admin")) 16 | { 17 | 18 | %> 19 |
    20 | 21 | 22 | 23 |
    Website Title:
    24 |
    25 | 26 | <% 27 | if(request.getParameter("save")!=null) 28 | { 29 | Properties props=new Properties(); 30 | 31 | props.load(new FileInputStream(configPath)); 32 | props.setProperty("siteTitle",request.getParameter("siteTitle")); 33 | FileOutputStream fileout = new FileOutputStream(configPath); 34 | props.store(fileout, null); 35 | fileout.close(); 36 | out.print(" Configuration saved "); 37 | } 38 | } 39 | else 40 | { 41 | out.print(" x You Are not Authorized to view this Page
    "); 42 | out.print(" ✔ only admin can view this page"); 43 | } 44 | %> 45 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/java/org/cysecurity/cspf/jvl/model/DBConnect.java: -------------------------------------------------------------------------------- 1 | /* 2 | * To change this license header, choose License Headers in Project Properties. 3 | * To change this template file, choose Tools | Templates 4 | * and open the template in the editor. 5 | */ 6 | 7 | package org.cysecurity.cspf.jvl.model; 8 | 9 | 10 | import java.io.FileInputStream; 11 | import java.io.IOException; 12 | import java.io.InputStream; 13 | import java.sql.Connection; 14 | import java.sql.DriverManager; 15 | import java.sql.SQLException; 16 | import java.util.Properties; 17 | 18 | /** 19 | * 20 | * @author breakthesec 21 | */ 22 | public class DBConnect { 23 | public Connection connect(String path) throws IOException,ClassNotFoundException,SQLException 24 | { 25 | Properties properties=new Properties(); 26 | properties.load(new FileInputStream(path)); 27 | String dbuser=properties.getProperty("dbuser"); 28 | String dbpass = properties.getProperty("dbpass"); 29 | String dbfullurl = properties.getProperty("dburl")+properties.getProperty("dbname"); 30 | String jdbcdriver = properties.getProperty("jdbcdriver"); 31 | Connection con=null; 32 | try 33 | { 34 | Class.forName(jdbcdriver); 35 | con= DriverManager.getConnection(dbfullurl,dbuser,dbpass); 36 | return con; 37 | } 38 | finally 39 | { 40 | 41 | } 42 | } 43 | } -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/securitymisconfig/pages.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.sql.SQLException"%> 2 | <%@page import="java.sql.ResultSet"%> 3 | <%@page import="java.sql.Statement"%> 4 | <%@page import="java.sql.Connection"%> 5 | <%@ include file="/header.jsp" %> 6 | <%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%> 7 | <% 8 | try 9 | { 10 | Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); 11 | 12 | String id=request.getParameter("id"); 13 | 14 | if(id!=null && !id.equals("")) 15 | { 16 | int idNumber=Integer.parseInt(id); 17 | Statement stmt = con.createStatement(); 18 | ResultSet rs =null; 19 | rs=stmt.executeQuery("select * from posts where postid="+idNumber); 20 | if(rs != null && rs.next()) 21 | { 22 | out.print("Title:"+rs.getString("title")+""); 23 | out.print("
    - Posted By "+rs.getString("user")); 24 | out.print("

    Content:
    "+rs.getString("content")); 25 | } 26 | } 27 | else 28 | { 29 | out.print("ID Parameter is Missing"); 30 | } 31 | } 32 | catch(SQLException e) 33 | { 34 | out.print(e.getMessage()); 35 | } 36 | out.print("

    Return to Forum >>"); 37 | %> 38 | 39 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/Injection/1.xsl: -------------------------------------------------------------------------------- 1 | 2 | 3 | 10 | 11 | 12 | 13 | 14 | 17 | 18 |

    List of Courses:

    19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 34 | 35 | 36 | 37 |
    Course NameURL
    28 | 29 | 30 | 31 | Sign Up 32 | 33 |
    38 | 39 |     40 | 41 |     42 | -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/csrf/change-info.jsp: -------------------------------------------------------------------------------- 1 | <%@ include file="/header.jsp" %> 2 | <%@page import="java.sql.Connection"%> 3 | <%@page import="java.sql.Statement"%> 4 | <%@page import="java.sql.SQLException"%> 5 | 6 | <%@page import="java.sql.ResultSetMetaData"%> 7 | <%@page import="java.sql.ResultSet"%> 8 | <%@ page import="java.util.*,java.io.*"%> 9 | <%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%> 10 | 11 | 12 | <% 13 | if(session.getAttribute("isLoggedIn")!=null) 14 | { 15 | %> 16 | Change Details About You:

    17 |
    18 | Description: 19 |

    20 | 21 |
    22 |
    23 | <% 24 | Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); 25 | 26 | String info=request.getParameter("info"); 27 | String id=session.getAttribute("userid").toString(); 28 | if(info!=null && !info.equals("") && id!=null) 29 | { 30 | Statement stmt = con.createStatement(); 31 | stmt.executeUpdate("Update users set about='"+info+"' where id="+id); 32 | out.print("info Changed"); 33 | } 34 | 35 | out.print("

    Return to Profile Page >>"); 36 | 37 | } 38 | else 39 | { 40 | out.print("Please login to see Your Profile"); 41 | } 42 | 43 | %> 44 | 45 | 46 | 47 | 48 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/idor/change-email.jsp: -------------------------------------------------------------------------------- 1 | <%@ include file="/header.jsp" %> 2 | <%@page import="java.sql.Connection"%> 3 | <%@page import="java.sql.Statement"%> 4 | <%@page import="java.sql.SQLException"%> 5 | 6 | <%@page import="java.sql.ResultSetMetaData"%> 7 | <%@page import="java.sql.ResultSet"%> 8 | <%@ page import="java.util.*,java.io.*"%> 9 | <%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%> 10 | 11 | 12 | <% 13 | if(session.getAttribute("isLoggedIn")!=null) 14 | { 15 | %> 16 | Enter the New Email:

    17 |
    18 | New Email ID: 19 | "/> 20 |

    21 | 22 |
    23 |
    24 | <% 25 | Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); 26 | 27 | String email=request.getParameter("email"); 28 | String id=request.getParameter("id"); 29 | if(email!=null && !email.equals("") && id!=null) 30 | { 31 | Statement stmt = con.createStatement(); 32 | stmt.executeUpdate("Update users set email='"+email+"' where id="+id); 33 | out.print("email Changed"); 34 | } 35 | 36 | out.print("

    Return to Profile Page >>"); 37 | 38 | } 39 | else 40 | { 41 | out.print("Please login to see Your Profile"); 42 | } 43 | 44 | %> 45 | 46 | 47 | 48 | 49 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/idor/download.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.io.DataInputStream"%> 2 | <%@page import="java.io.FileInputStream"%> 3 | <%@page import="java.io.File"%> 4 | <% 5 | if(request.getParameter("file")!=null) 6 | { 7 | String context = request.getContextPath(); 8 | 9 | int BUFSIZE = 4096; 10 | String filePath; 11 | filePath = request.getParameter("file"); 12 | File file = new File(getServletContext().getRealPath(context)); 13 | file = new File(file.getParent()+"/docs/"+filePath); 14 | int length = 0; 15 | ServletOutputStream outStream = response.getOutputStream(); 16 | response.setContentType("text/html"); 17 | response.setContentLength((int)file.length()); 18 | String fileName = (new File(filePath)).getName(); 19 | response.setHeader("Content-Disposition", "attachment; filename=\"" + fileName + "\""); 20 | 21 | byte[] byteBuffer = new byte[BUFSIZE]; 22 | DataInputStream in = new DataInputStream(new FileInputStream(file)); 23 | 24 | while ((in != null) && ((length = in.read(byteBuffer)) != -1)) 25 | { 26 | outStream.write(byteBuffer,0,length); 27 | } 28 | 29 | in.close(); 30 | outStream.close(); 31 | } 32 | else 33 | { 34 | %> 35 | <%@ include file="/header.jsp" %> 36 |

    Download Files:


    37 | 41 | 42 | <%@ include file="/footer.jsp" %> 43 | <% 44 | } 45 | %> -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 3 | 4.0.0 4 | org.cysecurity 5 | JavaVulnerableLab 6 | war 7 | 0.0.1-SNAPSHOT 8 | JavaVulnerableLab Maven Webapp 9 | http://maven.apache.org 10 | 11 | 12 | junit 13 | junit 14 | 3.8.1 15 | test 16 | 17 | 18 | mysql 19 | mysql-connector-java 20 | 5.1.26 21 | 22 | 23 | org.json 24 | json 25 | 20090211 26 | 27 | 28 | javax.servlet 29 | jstl 30 | 1.2 31 | 32 | 33 | org.hibernate 34 | hibernate-core 35 | 4.0.1.Final 36 | 37 | 38 | javax.servlet 39 | servlet-api 40 | 2.3 41 | provided 42 | 43 | 44 | 45 | JavaVulnerableLab 46 | 47 | 48 | 1.7 49 | 1.7 50 | 51 | 52 | -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/DisplayMessage.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.sql.ResultSet"%> 2 | <%@page import="java.sql.Statement"%> 3 | <%@page import="java.sql.Connection"%> 4 | <%@ include file="/header.jsp" %> 5 | <%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%> 6 | <% 7 | if(session.getAttribute("isLoggedIn")!=null) 8 | { 9 | Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); 10 | if(con!=null && !con.isClosed()) 11 | { 12 | if(request.getParameter("msgid")!=null) 13 | { 14 | Statement stmt = con.createStatement(); 15 | ResultSet rs =null; 16 | rs=stmt.executeQuery("select * from UserMessages where msgid="+request.getParameter("msgid")); 17 | if(rs.next()) 18 | { 19 | out.print("Sender: "+rs.getString("sender")); 20 | out.print("
    Subject:"+rs.getString("subject")); 21 | out.print("
    Message:
    "+rs.getString("msg")); 22 | } 23 | else 24 | { 25 | out.print("No Message Found"); 26 | } 27 | } 28 | else 29 | { 30 | out.print("Message Id Parameter is missing"); 31 | 32 | } 33 | out.print("

    Return to Messages >>"); 34 | 35 | out.print("

    Return to Profile Page >>"); 36 | 37 | } 38 | 39 | } 40 | else 41 | { 42 | out.print("* Please login to send message"); 43 | } 44 | %> 45 | 46 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/csrf/changepassword.jsp: -------------------------------------------------------------------------------- 1 | <%@ include file="/header.jsp" %> 2 | <%@page import="java.sql.Connection"%> 3 | <%@page import="java.sql.Statement"%> 4 | <%@page import="java.sql.SQLException"%> 5 | 6 | <%@page import="java.sql.ResultSetMetaData"%> 7 | <%@page import="java.sql.ResultSet"%> 8 | <%@ page import="java.util.*,java.io.*"%> 9 | <%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%> 10 | 11 | 12 | <% 13 | if(session.getAttribute("isLoggedIn")!=null) 14 | { 15 | String id=session.getAttribute("userid").toString(); 16 | %> 17 | Enter the New Password:

    18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 |
    New Password:
    Confirm Password:
    26 |
    27 | <% 28 | Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); 29 | 30 | String action=request.getParameter("change"); 31 | if(action!=null) 32 | { 33 | String pass=request.getParameter("password"); 34 | String confirmPass=request.getParameter("confirmpassword"); 35 | if(pass!=null && confirmPass!=null && !pass.equals("") ) 36 | { 37 | if(pass.equals(confirmPass) ) 38 | { 39 | Statement stmt = con.createStatement(); 40 | stmt.executeUpdate("Update users set password='"+pass+"' where id="+id); 41 | out.print("Password Changed"); 42 | out.print("

    Return to the Previous page "); 43 | } 44 | else 45 | { 46 | out.print("Passwords didn't match"); 47 | } 48 | 49 | } 50 | else 51 | { 52 | out.print("Password can't be empty"); 53 | } 54 | } 55 | } 56 | 57 | %> 58 | 59 | 60 | 61 | 62 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/Injection/orm.jsp: -------------------------------------------------------------------------------- 1 | 2 | <%@page import="org.hibernate.cfg.Configuration"%> 3 | <%@page import="org.hibernate.SessionFactory"%> 4 | <%@page import="java.util.List"%> 5 | <%@page import="org.cysecurity.cspf.jvl.model.orm.Users"%> 6 | <%@page import="org.hibernate.Query"%> 7 | <%@page import="org.hibernate.Session"%> 8 | <%@ include file="/header.jsp" %> 9 | <%! 10 | private static String queryUsers(Session session,String id) { 11 | Query query = session.createQuery("from Users where id="+id); 12 | List list = query.list(); 13 | java.util.Iterator iter = list.iterator(); 14 | String results="Details:
    ---------------
    "; 15 | if (iter.hasNext()) { 16 | Users users = iter.next(); 17 | results+= "Name: " + users.getUsername() +"
    About: " + users.getAbout(); 18 | } 19 | session.getTransaction().commit(); 20 | return results; 21 | 22 | } 23 | 24 | %> 25 | <% 26 | 27 | try{ 28 | 29 | //Reading config from properties file: 30 | String dbuser=properties.getProperty("dbuser"); 31 | String dbpass = properties.getProperty("dbpass"); 32 | String dbfullurl = properties.getProperty("dburl")+properties.getProperty("dbname"); 33 | String jdbcdriver = properties.getProperty("jdbcdriver"); 34 | 35 | Configuration configuration = new Configuration(); 36 | configuration.setProperty( "hibernate.connection.driver_class",jdbcdriver); 37 | configuration.setProperty( "hibernate.connection.url",dbfullurl); 38 | configuration.setProperty( "hibernate.connection.username", dbuser); 39 | configuration.setProperty( "hibernate.connection.password", dbpass); 40 | configuration.setProperty( "hibernate.dialect","org.hibernate.dialect.MySQLDialect"); 41 | 42 | 43 | configuration.addResource("Users.hbm.xml"); 44 | SessionFactory factory; 45 | factory=configuration.buildSessionFactory(); 46 | Session ormSession = factory.openSession(); 47 | 48 | ormSession.beginTransaction(); 49 | 50 | out.print(queryUsers(ormSession,request.getParameter("id"))); 51 | 52 | } 53 | catch(Exception e) 54 | { 55 | out.print(e); 56 | } 57 | 58 | %> 59 | 60 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/Register.jsp: -------------------------------------------------------------------------------- 1 | <%-- 2 | Document : Register 3 | Created on : 2 Dec, 2014, 10:47:44 AM 4 | Author : breakthesec 5 | --%> 6 | <%@ include file="header.jsp" %> 7 | 41 |
    42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 |
    UserName:
    Email:
    Describer Yourself:
    What's Your Pet's name?:
    Password :
    50 |
    51 | <%@ include file="footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/ForgotPassword.jsp: -------------------------------------------------------------------------------- 1 | 2 | <%@page import="org.cysecurity.cspf.jvl.model.DBConnect"%> 3 | <%@page import="java.sql.Statement"%> 4 | <%@page import="java.sql.ResultSet"%> 5 | <%@page import="java.sql.Connection"%> 6 | <%@ include file="header.jsp" %> 7 | 26 | 27 | Password Recovery: 28 |
    29 | 30 | 31 | 32 | 33 |
    Username:
    What's Your Pet's name?:
    34 |

    35 | 36 | <% 37 | if(request.getParameter("secret")!=null) 38 | { 39 | Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); 40 | ResultSet rs=null; 41 | Statement stmt = con.createStatement(); 42 | rs=stmt.executeQuery("select * from users where username='"+request.getParameter("username").trim()+"' and secret='"+request.getParameter("secret")+"'"); 43 | if(rs != null && rs.next()){ 44 | out.print("Hello "+rs.getString("username")+", Your Password is: "+rs.getString("password")); 45 | } 46 | else 47 | { 48 | out.print(" Secret/Email is wrong"); 49 | } 50 | } 51 | 52 | %> 53 | 54 | <%@ include file="footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/sqli/download_id_union.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.io.DataInputStream"%> 2 | <%@page import="java.io.FileInputStream"%> 3 | <%@page import="java.sql.Connection"%> 4 | <%@page import="java.sql.Statement"%> 5 | <%@page import="java.sql.SQLException"%> 6 | 7 | <%@page import="java.sql.ResultSetMetaData"%> 8 | <%@page import="java.sql.ResultSet"%> 9 | <%@ page import="java.util.*,java.io.*"%> 10 | <%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%> 11 | 12 | 13 | <%@page import="java.io.File"%> 14 | <% 15 | String path = request.getContextPath(); 16 | try 17 | { 18 | String fileid=request.getParameter("fileid"); 19 | if(fileid!=null && !fileid.equals("")) 20 | { 21 | Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); 22 | Statement stmt = con.createStatement(); 23 | ResultSet rs =null; 24 | rs=stmt.executeQuery("select * from FilesList where fileid="+fileid); 25 | if(rs != null && rs.next()) 26 | { 27 | 28 | int BUFSIZE = 4096; 29 | String filePath=rs.getString("path"); 30 | 31 | File file = new File(getServletContext().getRealPath(path)); 32 | file = new File(file.getParent()+filePath); 33 | int length = 0; 34 | ServletOutputStream outStream = response.getOutputStream(); 35 | response.setContentType("text/html"); 36 | response.setContentLength((int)file.length()); 37 | String fileName = (new File(filePath)).getName(); 38 | response.setHeader("Content-Disposition", "attachment; filename=\"" + fileName + "\""); 39 | 40 | byte[] byteBuffer = new byte[BUFSIZE]; 41 | DataInputStream in = new DataInputStream(new FileInputStream(file)); 42 | 43 | while ((in != null) && ((length = in.read(byteBuffer)) != -1)) 44 | { 45 | outStream.write(byteBuffer,0,length); 46 | } 47 | 48 | in.close(); 49 | outStream.close(); 50 | } 51 | else 52 | { 53 | out.print("File Not Found"); 54 | } 55 | } 56 | else 57 | { 58 | out.print("File Parameter is missing"); 59 | } 60 | } 61 | catch(Exception e) 62 | { 63 | out.print("Oops, Something Went wrong"); 64 | } 65 | %> -------------------------------------------------------------------------------- /src/main/webapp/changeCardDetails.jsp: -------------------------------------------------------------------------------- 1 | <%@ include file="/header.jsp" %> 2 | <%@page import="java.sql.Connection"%> 3 | <%@page import="java.sql.Statement"%> 4 | <%@page import="java.sql.SQLException"%> 5 | 6 | <%@page import="java.sql.ResultSetMetaData"%> 7 | <%@page import="java.sql.ResultSet"%> 8 | <%@ page import="java.util.*,java.io.*"%> 9 | <%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%> 10 | 11 | 12 | <% 13 | if(session.getAttribute("isLoggedIn")!=null) 14 | { 15 | %> 16 | Change Credit Card Info:

    17 |
    18 | 19 | 20 | 21 | 22 | 23 |
    Card Number:
    CVV:
    Expiry Date:
    24 |
    25 |
    26 | <% 27 | Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); 28 | 29 | String id=session.getAttribute("userid").toString(); //Gets User ID 30 | String action=request.getParameter("action"); 31 | try 32 | { 33 | 34 | if(action!=null && action.equalsIgnoreCase("add") ) 35 | { 36 | 37 | String cardno=request.getParameter("cardno"); 38 | String cvv=request.getParameter("cvv"); 39 | String expirydate=request.getParameter("expirydate"); 40 | if(!cardno.equals("") && !cvv.equals("") && !expirydate.equals("")) 41 | { 42 | Statement stmt = con.createStatement(); 43 | stmt.executeUpdate("INSERT into cards(id,cardno, cvv,expirydate) values ('"+id+"','"+cardno+"','"+cvv+"','"+expirydate+"')"); 44 | out.print(" * Card details added *"); 45 | } 46 | else 47 | { 48 | out.print("* Please Fill all the details * "); 49 | } 50 | } 51 | 52 | out.print("

    Return to Profile Page >>"); 53 | 54 | } 55 | catch(Exception e) 56 | { 57 | out.print(e); 58 | } 59 | } 60 | else 61 | { 62 | out.print("Please login to view this page"); 63 | } 64 | 65 | %> 66 | 67 | 68 | 69 | 70 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/sqli/download_id.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.io.DataInputStream"%> 2 | <%@page import="java.io.FileInputStream"%> 3 | <%@page import="java.sql.Connection"%> 4 | <%@page import="java.sql.Statement"%> 5 | <%@page import="java.sql.SQLException"%> 6 | 7 | <%@page import="java.sql.ResultSetMetaData"%> 8 | <%@page import="java.sql.ResultSet"%> 9 | <%@ page import="java.util.*,java.io.*"%> 10 | <%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%> 11 | 12 | 13 | <%@page import="java.io.File"%> 14 | <% 15 | String path = request.getContextPath(); 16 | try 17 | { 18 | String fileid=request.getParameter("fileid"); 19 | if(fileid!=null && !fileid.equals("")) 20 | { 21 | Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); 22 | Statement stmt = con.createStatement(); 23 | ResultSet rs =null; 24 | rs=stmt.executeQuery("select * from FilesList where fileid="+fileid); 25 | if(rs != null && rs.next()) 26 | { 27 | 28 | int BUFSIZE = 4096; 29 | String filePath=rs.getString("path"); 30 | 31 | File file = new File(getServletContext().getRealPath(path)); 32 | file = new File(file.getParent()+filePath); 33 | int length = 0; 34 | ServletOutputStream outStream = response.getOutputStream(); 35 | response.setContentType("text/html"); 36 | response.setContentLength((int)file.length()); 37 | String fileName = (new File(filePath)).getName(); 38 | response.setHeader("Content-Disposition", "attachment; filename=\"" +new Random().nextInt(10000)+ "\""); 39 | 40 | byte[] byteBuffer = new byte[BUFSIZE]; 41 | DataInputStream in = new DataInputStream(new FileInputStream(file)); 42 | 43 | while ((in != null) && ((length = in.read(byteBuffer)) != -1)) 44 | { 45 | outStream.write(byteBuffer,0,length); 46 | } 47 | 48 | in.close(); 49 | outStream.close(); 50 | } 51 | else 52 | { 53 | out.print("File Not Found"); 54 | } 55 | } 56 | else 57 | { 58 | out.print("File Parameter is missing"); 59 | } 60 | } 61 | catch(Exception e) 62 | { 63 | out.print("Oops, Something Went wrong"); 64 | } 65 | %> -------------------------------------------------------------------------------- /src/main/webapp/myprofile.jsp: -------------------------------------------------------------------------------- 1 | <%@ include file="/header.jsp" %> 2 | <%@page import="java.sql.Connection"%> 3 | <%@page import="java.sql.Statement"%> 4 | <%@page import="java.sql.SQLException"%> 5 | 6 | <%@page import="java.sql.ResultSetMetaData"%> 7 | <%@page import="java.sql.ResultSet"%> 8 | <%@ page import="java.util.*,java.io.*"%> 9 | <%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%> 10 | 11 | <% 12 | if(session.getAttribute("isLoggedIn")!=null) 13 | { 14 | Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); 15 | 16 | String id=request.getParameter("id"); 17 | if(id!=null && !id.equals("")) 18 | { 19 | Statement stmt = con.createStatement(); 20 | ResultSet rs =null; 21 | rs=stmt.executeQuery("select * from users where id="+id); 22 | if(rs != null && rs.next()) 23 | { 24 | out.print("UserName : "+rs.getString("username")+"
    "); 25 | out.print("Email : "+rs.getString("email")+"
    "); 26 | out.print("About : "+rs.getString("about")+"
    "); 27 | 28 | //Getting Card Details: 29 | ResultSet rs1=stmt.executeQuery("select * from cards where id="+id); 30 | if(rs1 != null && rs1.next()) 31 | { 32 | out.print("
    -------------------
    Card Details:
    -------------------
    "); 33 | out.print("Card Number: "+rs1.getString("cardno")+"
    "); 34 | out.print("CVV: "+rs1.getString("cvv")+"
    "); 35 | out.print("Expiry Date: "+rs1.getString("expirydate")+"
    "); 36 | } 37 | else 38 | { 39 | out.print("
    No Card Details Found: Add Card
    "); 40 | } 41 | } 42 | } 43 | else 44 | { 45 | out.print("ID Parameter is Missing"); 46 | } 47 | 48 | out.print("

    "); 55 | out.print("
    Return to Forum >>"); 56 | 57 | } 58 | else 59 | { 60 | out.print("Please login to see Your Profile"); 61 | } 62 | 63 | %> 64 | 65 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/java/org/cysecurity/cspf/jvl/controller/Logout.java: -------------------------------------------------------------------------------- 1 | /* 2 | * To change this license header, choose License Headers in Project Properties. 3 | * To change this template file, choose Tools | Templates 4 | * and open the template in the editor. 5 | */ 6 | 7 | package org.cysecurity.cspf.jvl.controller; 8 | 9 | import java.io.IOException; 10 | import java.io.PrintWriter; 11 | import javax.servlet.ServletException; 12 | import javax.servlet.http.HttpServlet; 13 | import javax.servlet.http.HttpServletRequest; 14 | import javax.servlet.http.HttpServletResponse; 15 | import javax.servlet.http.HttpSession; 16 | 17 | /** 18 | * 19 | * @author breakthesec 20 | */ 21 | public class Logout extends HttpServlet { 22 | 23 | /** 24 | * Processes requests for both HTTP GET and POST 25 | * methods. 26 | * 27 | * @param request servlet request 28 | * @param response servlet response 29 | * @throws ServletException if a servlet-specific error occurs 30 | * @throws IOException if an I/O error occurs 31 | */ 32 | protected void processRequest(HttpServletRequest request, HttpServletResponse response) 33 | throws ServletException, IOException { 34 | response.setContentType("text/html;charset=UTF-8"); 35 | try { 36 | PrintWriter out = response.getWriter(); 37 | /* TODO output your page here. You may use following sample code. */ 38 | HttpSession session=request.getSession(); 39 | session.invalidate(); 40 | response.sendRedirect("index.jsp"); 41 | } 42 | catch(Exception e) 43 | { 44 | 45 | } 46 | } 47 | 48 | // 49 | /** 50 | * Handles the HTTP GET method. 51 | * 52 | * @param request servlet request 53 | * @param response servlet response 54 | * @throws ServletException if a servlet-specific error occurs 55 | * @throws IOException if an I/O error occurs 56 | */ 57 | @Override 58 | protected void doGet(HttpServletRequest request, HttpServletResponse response) 59 | throws ServletException, IOException { 60 | processRequest(request, response); 61 | } 62 | 63 | /** 64 | * Handles the HTTP POST method. 65 | * 66 | * @param request servlet request 67 | * @param response servlet response 68 | * @throws ServletException if a servlet-specific error occurs 69 | * @throws IOException if an I/O error occurs 70 | */ 71 | @Override 72 | protected void doPost(HttpServletRequest request, HttpServletResponse response) 73 | throws ServletException, IOException { 74 | processRequest(request, response); 75 | } 76 | 77 | /** 78 | * Returns a short description of the servlet. 79 | * 80 | * @return a String containing servlet description 81 | */ 82 | @Override 83 | public String getServletInfo() { 84 | return "Short description"; 85 | }// 86 | 87 | } 88 | -------------------------------------------------------------------------------- /src/main/java/org/cysecurity/cspf/jvl/controller/Open.java: -------------------------------------------------------------------------------- 1 | /* 2 | * To change this license header, choose License Headers in Project Properties. 3 | * To change this template file, choose Tools | Templates 4 | * and open the template in the editor. 5 | */ 6 | 7 | package org.cysecurity.cspf.jvl.controller; 8 | 9 | import java.io.IOException; 10 | import java.io.PrintWriter; 11 | import javax.servlet.ServletException; 12 | import javax.servlet.http.HttpServlet; 13 | import javax.servlet.http.HttpServletRequest; 14 | import javax.servlet.http.HttpServletResponse; 15 | 16 | /** 17 | * 18 | * @author breakthesec 19 | */ 20 | public class Open extends HttpServlet { 21 | 22 | /** 23 | * Processes requests for both HTTP GET and POST 24 | * methods. 25 | * 26 | * @param request servlet request 27 | * @param response servlet response 28 | * @throws ServletException if a servlet-specific error occurs 29 | * @throws IOException if an I/O error occurs 30 | */ 31 | protected void processRequest(HttpServletRequest request, HttpServletResponse response) 32 | throws ServletException, IOException { 33 | response.setContentType("text/html;charset=UTF-8"); 34 | try { 35 | PrintWriter out = response.getWriter(); 36 | String url=request.getParameter("url"); 37 | if(url!=null) 38 | { 39 | response.sendRedirect(url); 40 | } 41 | else 42 | { 43 | out.print("Missing url parameter"); 44 | } 45 | } 46 | catch(Exception e) 47 | { 48 | 49 | } 50 | } 51 | 52 | // 53 | /** 54 | * Handles the HTTP GET method. 55 | * 56 | * @param request servlet request 57 | * @param response servlet response 58 | * @throws ServletException if a servlet-specific error occurs 59 | * @throws IOException if an I/O error occurs 60 | */ 61 | @Override 62 | protected void doGet(HttpServletRequest request, HttpServletResponse response) 63 | throws ServletException, IOException { 64 | processRequest(request, response); 65 | } 66 | 67 | /** 68 | * Handles the HTTP POST method. 69 | * 70 | * @param request servlet request 71 | * @param response servlet response 72 | * @throws ServletException if a servlet-specific error occurs 73 | * @throws IOException if an I/O error occurs 74 | */ 75 | @Override 76 | protected void doPost(HttpServletRequest request, HttpServletResponse response) 77 | throws ServletException, IOException { 78 | processRequest(request, response); 79 | } 80 | 81 | /** 82 | * Returns a short description of the servlet. 83 | * 84 | * @return a String containing servlet description 85 | */ 86 | @Override 87 | public String getServletInfo() { 88 | return "Short description"; 89 | }// 90 | 91 | } 92 | -------------------------------------------------------------------------------- /src/main/webapp/admin/adminlogin.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="org.cysecurity.cspf.jvl.model.HashMe"%> 2 | <%@page import="java.sql.Statement"%> 3 | <%@page import="java.sql.ResultSet"%> 4 | <%@page import="java.sql.SQLException"%> 5 | <%@page import="org.cysecurity.cspf.jvl.model.DBConnect"%> 6 | <%@page import="java.sql.Connection"%> 7 | <% 8 | if(request.getParameter("Login")!=null) 9 | { 10 | Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); 11 | String user=request.getParameter("username"); 12 | String pass=HashMe.hashMe(request.getParameter("password")); //Hashed Password 13 | try 14 | { 15 | if(con!=null && !con.isClosed()) 16 | { 17 | ResultSet rs=null; 18 | Statement stmt = con.createStatement(); 19 | rs=stmt.executeQuery("select * from users where username='"+user+"' and password='"+pass+"' and privilege='admin'"); 20 | if(rs != null && rs.next()){ 21 | session.setAttribute("isLoggedIn", "1"); 22 | session.setAttribute("userid", rs.getString("id")); 23 | session.setAttribute("user", rs.getString("username")); 24 | session.setAttribute("avatar", rs.getString("avatar")); 25 | session.setAttribute("privilege", rs.getString("privilege")); 26 | 27 | Cookie privilege=new Cookie("privilege","admin"); 28 | privilege.setPath(request.getContextPath()); 29 | response.addCookie(privilege); 30 | 31 | response.sendRedirect("admin.jsp"); 32 | } 33 | else 34 | { 35 | response.sendRedirect("adminlogin.jsp?err=Username/Password is wrong"); 36 | } 37 | 38 | } 39 | } 40 | catch(SQLException ex) 41 | { 42 | response.sendRedirect("adminlogin.jsp?err=Something went wrong"); 43 | 44 | } 45 | catch(Exception e) 46 | { 47 | response.sendRedirect("adminlogin.jsp?err="+e); 48 | } 49 | } 50 | %> 51 | <%@ include file="/header.jsp" %> 52 | Admin Login Page:
    53 |
    54 | 55 | 56 | 57 | 58 | 59 |
    UserName:
    Password :
    <% if(request.getParameter("err")!=null){out.print(request.getParameter("err"));} %>
    60 |
    61 | 62 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/java/org/cysecurity/cspf/jvl/controller/ForwardMe.java: -------------------------------------------------------------------------------- 1 | /* 2 | * To change this license header, choose License Headers in Project Properties. 3 | * To change this template file, choose Tools | Templates 4 | * and open the template in the editor. 5 | */ 6 | 7 | package org.cysecurity.cspf.jvl.controller; 8 | 9 | import java.io.IOException; 10 | import java.io.PrintWriter; 11 | import javax.servlet.RequestDispatcher; 12 | import javax.servlet.ServletException; 13 | import javax.servlet.http.HttpServlet; 14 | import javax.servlet.http.HttpServletRequest; 15 | import javax.servlet.http.HttpServletResponse; 16 | 17 | /** 18 | * 19 | * @author breakthesec 20 | */ 21 | public class ForwardMe extends HttpServlet { 22 | 23 | /** 24 | * Processes requests for both HTTP GET and POST 25 | * methods. 26 | * 27 | * @param request servlet request 28 | * @param response servlet response 29 | * @throws ServletException if a servlet-specific error occurs 30 | * @throws IOException if an I/O error occurs 31 | */ 32 | protected void processRequest(HttpServletRequest request, HttpServletResponse response) 33 | throws ServletException, IOException { 34 | response.setContentType("text/html;charset=UTF-8"); 35 | PrintWriter out = response.getWriter(); 36 | try { 37 | if(request.getParameter("location")!=null) 38 | { 39 | String location=request.getParameter("location"); 40 | //Forwarding 41 | RequestDispatcher dispatcher = getServletContext().getRequestDispatcher(location); 42 | dispatcher.forward(request,response); 43 | } 44 | else 45 | { 46 | out.print("Location Parameter is missing"); 47 | } 48 | } finally { 49 | out.close(); 50 | } 51 | } 52 | 53 | // 54 | /** 55 | * Handles the HTTP GET method. 56 | * 57 | * @param request servlet request 58 | * @param response servlet response 59 | * @throws ServletException if a servlet-specific error occurs 60 | * @throws IOException if an I/O error occurs 61 | */ 62 | @Override 63 | protected void doGet(HttpServletRequest request, HttpServletResponse response) 64 | throws ServletException, IOException { 65 | processRequest(request, response); 66 | } 67 | 68 | /** 69 | * Handles the HTTP POST method. 70 | * 71 | * @param request servlet request 72 | * @param response servlet response 73 | * @throws ServletException if a servlet-specific error occurs 74 | * @throws IOException if an I/O error occurs 75 | */ 76 | @Override 77 | protected void doPost(HttpServletRequest request, HttpServletResponse response) 78 | throws ServletException, IOException { 79 | processRequest(request, response); 80 | } 81 | 82 | /** 83 | * Returns a short description of the servlet. 84 | * 85 | * @return a String containing servlet description 86 | */ 87 | @Override 88 | public String getServletInfo() { 89 | return "Short description"; 90 | }// 91 | 92 | } 93 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | This is a "Vulnerable" Web Application developed by Cyber Security and Privacy Foundation(www.cysecurity.org). This app is intended for the Java Programmers and other people who wish to learn about Web application vulnerabilities and write secure code. 2 | 3 | **The full course content is now available on Github for free:** 4 | 5 | https://github.com/CSPF-Founder/JavaSecurityCourse 6 | 7 | 8 | **The full course on Hacking and Securing Web Java Programs is available in** 9 | 10 | https://www.udemy.com/hacking-securing-java-web-programming/ 11 | 12 | **Warning**: Don't run this app in Your Main Machine or in an online server. Install it in Vitual Machine. 13 | 14 | 15 | How to Use/Setup ? 16 | ------------- 17 | 18 | **Method 1.Super Very Easiest Method: Docker** 19 | The easiest way to use Java Vulnerable is using Docker which set up everything for you with 1 command line 20 | 21 | Steps: 22 | 23 | 1. Install Docker: https://docs.docker.com/engine/installation/ 24 | 2. Install docker-compose: https://docs.docker.com/compose/install/ 25 | 3. Inside this directory, run `sudo docker-compose up` and wait untill everything is configured for you. 26 | 4. In your Browser, go to "http://localhost:8080/JavaVulnerableLab/install.jsp 27 | 5. Change the JDBC URL from jdbc:mysql://localhost:3306 to jdbc:mysql://mysql:3306 28 | 6. Click the Install Button 29 | 7. Enjoy :) 30 | 31 | 32 | **Method 2.Very Easiest Method : VirtualBox VM** 33 | The second most easiest way to use Java Vulnerable is using the VirtualBox VM which has everything set up and ready to use. 34 | 35 | Steps: 36 | 37 | 1. Install the VirtualBox : https://www.virtualbox.org/wiki/Downloads 38 | 2. Download the VM Image from here : http://sourceforge.net/projects/javavulnerablelab/files/v0.1/JavaVulnerableLab.ova/download 39 | 3. Import the JavaVulnerable.ova into VirtualBox. 40 | 4. Change the Network Settings to Host-Only Network 41 | 5. Start the Machine and Log into the Machine( Credentials; username: root password: cspf) 42 | 6. Start Tomcat by entering "service tomcat start" in the Terminal 43 | 7. Start mysql by entering "service mysql start" in the Terminal 44 | 8. Find the IP Address of Machine 45 | 9. In your Browser, go to "http://[IP_ADDRESS_OF_VM]:8080/JavaVulnerableLab/install.jsp 46 | 10. Click the Install Button 47 | 11. Enjoy :) 48 | 49 | **Method 3.Easiest Method : Standalone Web Application** 50 | In this mehtod, you will be running an executable "JAR" file which runs the application with an embedded Apache Tomcat. 51 | 52 | Steps: 53 | 54 | 1. Install JDK 55 | 2. Download Executable Jar from here: http://sourceforge.net/projects/javavulnerablelab/files/v0.2/JavaVulnerableLab.jar/download 56 | 3. Double Click the JavaVulnerable.jar to run( if double click is not working, run this command "java -jar JavaVulnerable.jar" in your Terminal or CMD) 57 | 4. In your Browser, go to "http://localhost:8080/JavaVulnerableLab/install.jsp 58 | 5. Click the Install Button 59 | 60 | **Method 4. Using War file:** 61 | This is a NORMAL method to deploy the WAR file. 62 | 63 | Steps: 64 | 65 | 1. Install Apache Tomcat server 66 | 2. Go to http://[Tomcat_INSTALLED_IP]:8080/manager/ (make sure you have modified tomcat-users.xml file of the tomcat to allow the manager). 67 | 3. Download our WAR file from here: https://sourceforge.net/projects/javavulnerablelab/files/latest/JavaVulnerableLab.war/download 68 | 4. Deploy the WAR in Apache Tomcat manager. 69 | 5. Go to http://[Tomcat_INSTALLED_IP]:8080/JavaVulnerableLab/install.jsp 70 | 6. Click the Install Button 71 | 72 | 73 | Get the VulnerableSpring Project from here: 74 | https://github.com/CSPF-Founder/VulnerableSpring 75 | 76 | -------------------------------------------------------------------------------- /src/main/webapp/vulnerability/forum.jsp: -------------------------------------------------------------------------------- 1 | <%-- 2 | Document : forum 3 | Created on : 1 Dec, 2014, 3:22:09 PM 4 | Author : breakthesec 5 | --%> 6 | 7 | <%@page import="java.sql.Connection"%> 8 | <%@page import="java.sql.Statement"%> 9 | <%@page import="java.sql.SQLException"%> 10 | 11 | <%@page import="java.sql.ResultSetMetaData"%> 12 | <%@page import="java.sql.ResultSet"%> 13 | <%@ page import="java.util.*,java.io.*"%> 14 | <%@ page import="org.cysecurity.cspf.jvl.model.DBConnect"%> 15 | 16 | 17 | <%@page contentType="text/html" pageEncoding="UTF-8"%> 18 | 19 | <%@ include file="/header.jsp" %> 20 | <% 21 | Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); 22 | if(session.getAttribute("isLoggedIn")!=null && session.getAttribute("isLoggedIn").equals("1")) 23 | { 24 | out.print("Hello "+session.getAttribute("user")+", Welcome to Our Forum !"); 25 | } 26 | %> 27 |

    28 |

    Create Post:

    29 |
    30 | Title :
    31 | Message:
    32 | " size="50"/>
    33 | 34 |
    35 | 36 |
    37 | <% 38 | 39 | if(request.getParameter("post")!=null) 40 | { 41 | String user=request.getParameter("user"); 42 | String content=request.getParameter("content"); 43 | String title=request.getParameter("title"); 44 | if(con!=null && !con.isClosed()) 45 | { 46 | Statement stmt = con.createStatement(); 47 | //Posting Content 48 | stmt.executeUpdate("INSERT into posts(content,title,user) values ('"+content+"','"+title+"','"+user+"')"); 49 | out.print("Successfully posted"); 50 | } 51 | } 52 | 53 | %> 54 |

    List of Posts:

    55 | <% 56 | if(con!=null && !con.isClosed()) 57 | { 58 | Statement stmt = con.createStatement(); 59 | ResultSet rs =null; 60 | rs=stmt.executeQuery("select * from posts"); 61 | out.println(""); 62 | while (rs.next()) 63 | { 64 | out.print(""); 65 | out.print(""); 66 | out.print(""); 76 | 77 | } 78 | out.println("
    "+rs.getString("title")+" - Posted By "); 67 | if(!rs.getString("user").equalsIgnoreCase("anonymous")) 68 | { 69 | out.print(""+rs.getString("user")+""); 70 | } 71 | else 72 | { 73 | out.print(rs.getString("user")); 74 | } 75 | out.println("
    "); 79 | } 80 | out.print("
    Forum Users list >>"); 81 | %> 82 | <%@ include file="/footer.jsp" %> -------------------------------------------------------------------------------- /src/main/java/org/cysecurity/cspf/jvl/controller/xxe.java: -------------------------------------------------------------------------------- 1 | /* 2 | * To change this license header, choose License Headers in Project Properties. 3 | * To change this template file, choose Tools | Templates 4 | * and open the template in the editor. 5 | */ 6 | 7 | package org.cysecurity.cspf.jvl.controller; 8 | 9 | import java.io.IOException; 10 | import java.io.InputStream; 11 | import java.io.PrintWriter; 12 | import javax.servlet.ServletException; 13 | import javax.servlet.http.HttpServlet; 14 | import javax.servlet.http.HttpServletRequest; 15 | import javax.servlet.http.HttpServletResponse; 16 | import javax.xml.parsers.DocumentBuilder; 17 | import javax.xml.parsers.DocumentBuilderFactory; 18 | import org.w3c.dom.Document; 19 | import org.w3c.dom.Element; 20 | import org.w3c.dom.NodeList; 21 | import org.xml.sax.InputSource; 22 | 23 | /** 24 | * 25 | * @author breakthesec 26 | */ 27 | public class xxe extends HttpServlet { 28 | 29 | /** 30 | * Processes requests for both HTTP GET and POST 31 | * methods. 32 | * 33 | * @param request servlet request 34 | * @param response servlet response 35 | * @throws ServletException if a servlet-specific error occurs 36 | * @throws IOException if an I/O error occurs 37 | */ 38 | protected void processRequest(HttpServletRequest request, HttpServletResponse response) 39 | throws ServletException, IOException { 40 | response.setContentType("text/html;charset=UTF-8"); 41 | PrintWriter out = response.getWriter(); 42 | try 43 | { 44 | InputStream xml=request.getInputStream(); 45 | DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); 46 | DocumentBuilder builder = factory.newDocumentBuilder(); 47 | InputSource is = new InputSource(xml); 48 | Document doc = builder.parse(is); 49 | Element element = doc.getDocumentElement(); 50 | NodeList nodes = element.getChildNodes(); 51 | out.print("
    Result:
    "); 52 | out.print("---------------------
    "); 53 | for (int i = 0; i < nodes.getLength(); i++) { 54 | out.print(nodes.item(i).getNodeName()+" : " + nodes.item(i).getFirstChild().getNodeValue().toString()); 55 | out.print("
    "); 56 | } 57 | } 58 | catch(Exception ex) 59 | { 60 | out.print(ex); 61 | } 62 | finally { 63 | out.close(); 64 | } 65 | } 66 | 67 | // 68 | /** 69 | * Handles the HTTP GET method. 70 | * 71 | * @param request servlet request 72 | * @param response servlet response 73 | * @throws ServletException if a servlet-specific error occurs 74 | * @throws IOException if an I/O error occurs 75 | */ 76 | @Override 77 | protected void doGet(HttpServletRequest request, HttpServletResponse response) 78 | throws ServletException, IOException { 79 | processRequest(request, response); 80 | } 81 | 82 | /** 83 | * Handles the HTTP POST method. 84 | * 85 | * @param request servlet request 86 | * @param response servlet response 87 | * @throws ServletException if a servlet-specific error occurs 88 | * @throws IOException if an I/O error occurs 89 | */ 90 | @Override 91 | protected void doPost(HttpServletRequest request, HttpServletResponse response) 92 | throws ServletException, IOException { 93 | processRequest(request, response); 94 | } 95 | 96 | /** 97 | * Returns a short description of the servlet. 98 | * 99 | * @return a String containing servlet description 100 | */ 101 | @Override 102 | public String getServletInfo() { 103 | return "Short description"; 104 | }// 105 | 106 | } 107 | -------------------------------------------------------------------------------- /src/main/java/org/cysecurity/cspf/jvl/controller/EmailCheck.java: -------------------------------------------------------------------------------- 1 | /* 2 | * To change this license header, choose License Headers in Project Properties. 3 | * To change this template file, choose Tools | Templates 4 | * and open the template in the editor. 5 | */ 6 | 7 | package org.cysecurity.cspf.jvl.controller; 8 | 9 | import java.io.IOException; 10 | import java.io.PrintWriter; 11 | import java.sql.Connection; 12 | import java.sql.ResultSet; 13 | import java.sql.Statement; 14 | import javax.servlet.ServletException; 15 | import javax.servlet.http.HttpServlet; 16 | import javax.servlet.http.HttpServletRequest; 17 | import javax.servlet.http.HttpServletResponse; 18 | import org.cysecurity.cspf.jvl.model.DBConnect; 19 | import org.json.JSONObject; 20 | 21 | /** 22 | * 23 | * @author breakthesec 24 | */ 25 | public class EmailCheck extends HttpServlet { 26 | 27 | /** 28 | * Processes requests for both HTTP GET and POST 29 | * methods. 30 | * 31 | * @param request servlet request 32 | * @param response servlet response 33 | * @throws ServletException if a servlet-specific error occurs 34 | * @throws IOException if an I/O error occurs 35 | */ 36 | protected void processRequest(HttpServletRequest request, HttpServletResponse response) 37 | throws ServletException, IOException { 38 | response.setContentType("application/json"); 39 | PrintWriter out = response.getWriter(); 40 | try { 41 | Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); 42 | String email=request.getParameter("email").trim(); 43 | JSONObject json=new JSONObject(); 44 | if(con!=null && !con.isClosed()) 45 | { 46 | ResultSet rs=null; 47 | Statement stmt = con.createStatement(); 48 | rs=stmt.executeQuery("select * from users where email='"+email+"'"); 49 | if (rs.next()) 50 | { 51 | json.put("available", "1"); 52 | } 53 | else 54 | { 55 | json.put("available", new Integer(0)); 56 | } 57 | } 58 | out.print(json); 59 | } 60 | catch(Exception e) 61 | { 62 | out.print(e); 63 | } 64 | finally { 65 | out.close(); 66 | } 67 | } 68 | 69 | // 70 | /** 71 | * Handles the HTTP GET method. 72 | * 73 | * @param request servlet request 74 | * @param response servlet response 75 | * @throws ServletException if a servlet-specific error occurs 76 | * @throws IOException if an I/O error occurs 77 | */ 78 | @Override 79 | protected void doGet(HttpServletRequest request, HttpServletResponse response) 80 | throws ServletException, IOException { 81 | processRequest(request, response); 82 | } 83 | 84 | /** 85 | * Handles the HTTP POST method. 86 | * 87 | * @param request servlet request 88 | * @param response servlet response 89 | * @throws ServletException if a servlet-specific error occurs 90 | * @throws IOException if an I/O error occurs 91 | */ 92 | 93 | protected void doPost(HttpServletRequest request, HttpServletResponse response) 94 | throws ServletException, IOException { 95 | processRequest(request, response); 96 | } 97 | 98 | /** 99 | * Returns a short description of the servlet. 100 | * 101 | * @return a String containing servlet description 102 | */ 103 | @Override 104 | public String getServletInfo() { 105 | return "Short description"; 106 | }// 107 | 108 | } 109 | -------------------------------------------------------------------------------- /src/main/java/org/cysecurity/cspf/jvl/controller/UsernameCheck.java: -------------------------------------------------------------------------------- 1 | /* 2 | * To change this license header, choose License Headers in Project Properties. 3 | * To change this template file, choose Tools | Templates 4 | * and open the template in the editor. 5 | */ 6 | 7 | package org.cysecurity.cspf.jvl.controller; 8 | 9 | import java.io.IOException; 10 | import java.io.PrintWriter; 11 | import java.sql.Connection; 12 | import java.sql.ResultSet; 13 | import java.sql.Statement; 14 | import javax.servlet.ServletException; 15 | import javax.servlet.http.HttpServlet; 16 | import javax.servlet.http.HttpServletRequest; 17 | import javax.servlet.http.HttpServletResponse; 18 | import org.cysecurity.cspf.jvl.model.DBConnect; 19 | import org.json.JSONObject; 20 | 21 | /** 22 | * 23 | * @author breakthesec 24 | */ 25 | public class UsernameCheck extends HttpServlet { 26 | 27 | /** 28 | * Processes requests for both HTTP GET and POST 29 | * methods. 30 | * 31 | * @param request servlet request 32 | * @param response servlet response 33 | * @throws ServletException if a servlet-specific error occurs 34 | * @throws IOException if an I/O error occurs 35 | */ 36 | protected void processRequest(HttpServletRequest request, HttpServletResponse response) 37 | throws ServletException, IOException { 38 | response.setContentType("application/json"); 39 | PrintWriter out = response.getWriter(); 40 | try { 41 | Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); 42 | String user=request.getParameter("username").trim(); 43 | JSONObject json=new JSONObject(); 44 | if(con!=null && !con.isClosed()) 45 | { 46 | ResultSet rs=null; 47 | Statement stmt = con.createStatement(); 48 | rs=stmt.executeQuery("select * from users where username='"+user+"'"); 49 | if (rs.next()) 50 | { 51 | json.put("available", "1"); 52 | } 53 | else 54 | { 55 | json.put("available", new Integer(0)); 56 | } 57 | } 58 | out.print(json); 59 | } 60 | catch(Exception e) 61 | { 62 | out.print(e); 63 | } 64 | finally { 65 | out.close(); 66 | } 67 | } 68 | 69 | // 70 | /** 71 | * Handles the HTTP GET method. 72 | * 73 | * @param request servlet request 74 | * @param response servlet response 75 | * @throws ServletException if a servlet-specific error occurs 76 | * @throws IOException if an I/O error occurs 77 | */ 78 | @Override 79 | protected void doGet(HttpServletRequest request, HttpServletResponse response) 80 | throws ServletException, IOException { 81 | processRequest(request, response); 82 | } 83 | 84 | /** 85 | * Handles the HTTP POST method. 86 | * 87 | * @param request servlet request 88 | * @param response servlet response 89 | * @throws ServletException if a servlet-specific error occurs 90 | * @throws IOException if an I/O error occurs 91 | */ 92 | @Override 93 | protected void doPost(HttpServletRequest request, HttpServletResponse response) 94 | throws ServletException, IOException { 95 | processRequest(request, response); 96 | } 97 | 98 | /** 99 | * Returns a short description of the servlet. 100 | * 101 | * @return a String containing servlet description 102 | */ 103 | @Override 104 | public String getServletInfo() { 105 | return "Short description"; 106 | }// 107 | 108 | } 109 | -------------------------------------------------------------------------------- /src/main/webapp/WEB-INF/web.xml: -------------------------------------------------------------------------------- 1 | 4 | 5 | 6 | 7 | 8 | Install 9 | org.cysecurity.cspf.jvl.controller.Install 10 | 11 | 12 | loginValidator 13 | org.cysecurity.cspf.jvl.controller.LoginValidator 14 | 15 | 16 | Register 17 | org.cysecurity.cspf.jvl.controller.Register 18 | 19 | 20 | Logout 21 | org.cysecurity.cspf.jvl.controller.Logout 22 | 23 | 24 | Open 25 | org.cysecurity.cspf.jvl.controller.Open 26 | 27 | 28 | SendMessage 29 | org.cysecurity.cspf.jvl.controller.SendMessage 30 | 31 | 32 | ForwardMe 33 | org.cysecurity.cspf.jvl.controller.ForwardMe 34 | 35 | 36 | AddPage 37 | org.cysecurity.cspf.jvl.controller.AddPage 38 | 39 | 40 | UsernameCheck 41 | org.cysecurity.cspf.jvl.controller.UsernameCheck 42 | 43 | 44 | EmailCheck 45 | org.cysecurity.cspf.jvl.controller.EmailCheck 46 | 47 | 48 | XPathQuery 49 | org.cysecurity.cspf.jvl.controller.XPathQuery 50 | 51 | 52 | xxe 53 | org.cysecurity.cspf.jvl.controller.xxe 54 | 55 | 56 | 57 | Install 58 | /Install 59 | 60 | 61 | loginValidator 62 | /LoginValidator 63 | 64 | 65 | Register 66 | /AddUser 67 | 68 | 69 | Logout 70 | /Logout 71 | 72 | 73 | Open 74 | /Open 75 | 76 | 77 | SendMessage 78 | /SendMessage.do 79 | 80 | 81 | ForwardMe 82 | /ForwardMe 83 | 84 | 85 | AddPage 86 | /admin/AddPage.do 87 | 88 | 89 | UsernameCheck 90 | /UsernameCheck.do 91 | 92 | 93 | EmailCheck 94 | /EmailCheck.do 95 | 96 | 97 | XPathQuery 98 | /XPathQuery.do 99 | 100 | 101 | xxe 102 | /xxe.do 103 | 104 | 105 | 106 | -------------------------------------------------------------------------------- /src/main/java/org/cysecurity/cspf/jvl/controller/AddPage.java: -------------------------------------------------------------------------------- 1 | /* 2 | * To change this license header, choose License Headers in Project Properties. 3 | * To change this template file, choose Tools | Templates 4 | * and open the template in the editor. 5 | */ 6 | 7 | package org.cysecurity.cspf.jvl.controller; 8 | 9 | import java.io.BufferedWriter; 10 | import java.io.File; 11 | import java.io.FileWriter; 12 | import java.io.IOException; 13 | import java.io.PrintWriter; 14 | import javax.servlet.ServletException; 15 | import javax.servlet.http.HttpServlet; 16 | import javax.servlet.http.HttpServletRequest; 17 | import javax.servlet.http.HttpServletResponse; 18 | 19 | /** 20 | * 21 | * @author breakthesec 22 | */ 23 | public class AddPage extends HttpServlet { 24 | 25 | /** 26 | * Processes requests for both HTTP GET and POST 27 | * methods. 28 | * 29 | * @param request servlet request 30 | * @param response servlet response 31 | * @throws ServletException if a servlet-specific error occurs 32 | * @throws IOException if an I/O error occurs 33 | */ 34 | protected void processRequest(HttpServletRequest request, HttpServletResponse response) 35 | throws ServletException, IOException { 36 | response.setContentType("text/html;charset=UTF-8"); 37 | PrintWriter out = response.getWriter(); 38 | try { 39 | String fileName=request.getParameter("filename"); 40 | String content=request.getParameter("content"); 41 | if(fileName!=null && content!=null) 42 | { 43 | String pagesDir=getServletContext().getRealPath("/pages"); 44 | String filePath=pagesDir+"/"+fileName; 45 | File f=new File(filePath); 46 | if(f.exists()) 47 | { 48 | f.delete(); 49 | } 50 | if(f.createNewFile()) 51 | { 52 | BufferedWriter bw=new BufferedWriter(new FileWriter(f.getAbsoluteFile())); 53 | bw.write(content); 54 | bw.close(); 55 | out.print("Successfully created the file: "+fileName+""); 56 | } 57 | else 58 | { 59 | out.print("Failed to create the file"); 60 | } 61 | } 62 | else 63 | { 64 | out.print("filename or content Parameter is missing"); 65 | } 66 | 67 | } 68 | catch(Exception e) 69 | { 70 | out.print(e); 71 | } 72 | finally { 73 | out.close(); 74 | } 75 | } 76 | 77 | // 78 | /** 79 | * Handles the HTTP GET method. 80 | * 81 | * @param request servlet request 82 | * @param response servlet response 83 | * @throws ServletException if a servlet-specific error occurs 84 | * @throws IOException if an I/O error occurs 85 | */ 86 | @Override 87 | protected void doGet(HttpServletRequest request, HttpServletResponse response) 88 | throws ServletException, IOException { 89 | processRequest(request, response); 90 | } 91 | 92 | /** 93 | * Handles the HTTP POST method. 94 | * 95 | * @param request servlet request 96 | * @param response servlet response 97 | * @throws ServletException if a servlet-specific error occurs 98 | * @throws IOException if an I/O error occurs 99 | */ 100 | @Override 101 | protected void doPost(HttpServletRequest request, HttpServletResponse response) 102 | throws ServletException, IOException { 103 | processRequest(request, response); 104 | } 105 | 106 | /** 107 | * Returns a short description of the servlet. 108 | * 109 | * @return a String containing servlet description 110 | */ 111 | @Override 112 | public String getServletInfo() { 113 | return "Short description"; 114 | }// 115 | 116 | } 117 | -------------------------------------------------------------------------------- /src/main/java/org/cysecurity/cspf/jvl/controller/XPathQuery.java: -------------------------------------------------------------------------------- 1 | /* 2 | * To change this license header, choose License Headers in Project Properties. 3 | * To change this template file, choose Tools | Templates 4 | * and open the template in the editor. 5 | */ 6 | 7 | package org.cysecurity.cspf.jvl.controller; 8 | 9 | import java.io.IOException; 10 | import java.io.PrintWriter; 11 | import javax.servlet.ServletException; 12 | import javax.servlet.http.HttpServlet; 13 | import javax.servlet.http.HttpServletRequest; 14 | import javax.servlet.http.HttpServletResponse; 15 | import javax.servlet.http.HttpSession; 16 | import javax.xml.parsers.DocumentBuilder; 17 | import javax.xml.parsers.DocumentBuilderFactory; 18 | import javax.xml.xpath.XPath; 19 | import javax.xml.xpath.XPathFactory; 20 | 21 | import org.w3c.dom.Document; 22 | /** 23 | * 24 | * @author breakthesec 25 | */ 26 | public class XPathQuery extends HttpServlet { 27 | 28 | 29 | 30 | protected void processRequest(HttpServletRequest request, HttpServletResponse response) 31 | throws ServletException, IOException { 32 | response.setContentType("text/html;charset=UTF-8"); 33 | PrintWriter out = response.getWriter(); 34 | try { 35 | String user=request.getParameter("username"); 36 | String pass=request.getParameter("password"); 37 | 38 | //XML Source: 39 | String XML_SOURCE=getServletContext().getRealPath("/WEB-INF/users.xml"); 40 | 41 | //Parsing XML: 42 | DocumentBuilderFactory factory=DocumentBuilderFactory.newInstance(); 43 | factory.setNamespaceAware(true); 44 | DocumentBuilder builder=factory.newDocumentBuilder(); 45 | Document xDoc=builder.parse(XML_SOURCE); 46 | 47 | XPath xPath=XPathFactory.newInstance().newXPath(); 48 | 49 | //XPath Query: 50 | String xPression="/users/user[username='"+user+"' and password='"+pass+"']/name"; 51 | 52 | //running Xpath query: 53 | String name=xPath.compile(xPression).evaluate(xDoc); 54 | out.println(name); 55 | if(name.isEmpty()) 56 | { 57 | response.sendRedirect(response.encodeURL("ForwardMe?location=/vulnerability/Injection/xpath_login.jsp?err=Invalid Credentials")); 58 | } 59 | else 60 | { 61 | HttpSession session=request.getSession(); 62 | session.setAttribute("isLoggedIn", "1"); 63 | session.setAttribute("user", name); 64 | response.sendRedirect(response.encodeURL("ForwardMe?location=/index.jsp")); 65 | } 66 | } 67 | catch(Exception e) 68 | { 69 | out.print(e); 70 | } 71 | finally { 72 | out.close(); 73 | } 74 | } 75 | 76 | // 77 | /** 78 | * Handles the HTTP GET method. 79 | * 80 | * @param request servlet request 81 | * @param response servlet response 82 | * @throws ServletException if a servlet-specific error occurs 83 | * @throws IOException if an I/O error occurs 84 | */ 85 | @Override 86 | protected void doGet(HttpServletRequest request, HttpServletResponse response) 87 | throws ServletException, IOException { 88 | processRequest(request, response); 89 | } 90 | 91 | /** 92 | * Handles the HTTP POST method. 93 | * 94 | * @param request servlet request 95 | * @param response servlet response 96 | * @throws ServletException if a servlet-specific error occurs 97 | * @throws IOException if an I/O error occurs 98 | */ 99 | @Override 100 | protected void doPost(HttpServletRequest request, HttpServletResponse response) 101 | throws ServletException, IOException { 102 | processRequest(request, response); 103 | } 104 | 105 | /** 106 | * Returns a short description of the servlet. 107 | * 108 | * @return a String containing servlet description 109 | */ 110 | @Override 111 | public String getServletInfo() { 112 | return "Short description"; 113 | }// 114 | 115 | } 116 | -------------------------------------------------------------------------------- /src/main/java/org/cysecurity/cspf/jvl/controller/SendMessage.java: -------------------------------------------------------------------------------- 1 | /* 2 | * To change this license header, choose License Headers in Project Properties. 3 | * To change this template file, choose Tools | Templates 4 | * and open the template in the editor. 5 | */ 6 | 7 | package org.cysecurity.cspf.jvl.controller; 8 | 9 | import java.io.IOException; 10 | import java.io.PrintWriter; 11 | import java.sql.Connection; 12 | import java.sql.PreparedStatement; 13 | import javax.servlet.ServletException; 14 | import javax.servlet.http.HttpServlet; 15 | import javax.servlet.http.HttpServletRequest; 16 | import javax.servlet.http.HttpServletResponse; 17 | import org.cysecurity.cspf.jvl.model.DBConnect; 18 | 19 | /** 20 | * 21 | * @author breakthesec 22 | */ 23 | public class SendMessage extends HttpServlet { 24 | 25 | /** 26 | * Processes requests for both HTTP GET and POST 27 | * methods. 28 | * 29 | * @param request servlet request 30 | * @param response servlet response 31 | * @throws ServletException if a servlet-specific error occurs 32 | * @throws IOException if an I/O error occurs 33 | */ 34 | protected void processRequest(HttpServletRequest request, HttpServletResponse response) 35 | throws ServletException, IOException { 36 | response.setContentType("text/html;charset=UTF-8"); 37 | 38 | try 39 | { 40 | PrintWriter out = response.getWriter(); 41 | Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); 42 | String recipient=request.getParameter("recipient"); 43 | String subject=request.getParameter("subject"); 44 | String msg=request.getParameter("msg"); 45 | String sender=request.getParameter("sender"); 46 | if(con!=null && !con.isClosed() && request.getParameter("send")!=null) 47 | { 48 | //PreparedStatement to Prevent SQL Injection attack: 49 | PreparedStatement pstmt=con.prepareStatement("INSERT into UserMessages(recipient, sender, subject, msg) values (?,?,?,?)"); 50 | pstmt.setString(1, recipient); 51 | pstmt.setString(2, sender); 52 | pstmt.setString(3, subject); 53 | pstmt.setString(4, msg); 54 | pstmt.executeUpdate(); 55 | response.sendRedirect(request.getContextPath()+"/vulnerability/SendMessage.jsp?status=* Message successfully sent *"); 56 | 57 | } 58 | else 59 | { 60 | response.sendRedirect(request.getContextPath()+"/vulnerability/SendMessage.jsp?status=* Something Went Wrong"); 61 | 62 | } 63 | } 64 | catch(Exception ex) 65 | { 66 | response.sendRedirect(request.getContextPath()+"/vulnerability/SendMessage.jsp?status=* Something Went Wrong
    "+ex); 67 | 68 | } 69 | 70 | 71 | } 72 | 73 | // 74 | /** 75 | * Handles the HTTP GET method. 76 | * 77 | * @param request servlet request 78 | * @param response servlet response 79 | * @throws ServletException if a servlet-specific error occurs 80 | * @throws IOException if an I/O error occurs 81 | */ 82 | @Override 83 | protected void doGet(HttpServletRequest request, HttpServletResponse response) 84 | throws ServletException, IOException { 85 | processRequest(request, response); 86 | } 87 | 88 | /** 89 | * Handles the HTTP POST method. 90 | * 91 | * @param request servlet request 92 | * @param response servlet response 93 | * @throws ServletException if a servlet-specific error occurs 94 | * @throws IOException if an I/O error occurs 95 | */ 96 | @Override 97 | protected void doPost(HttpServletRequest request, HttpServletResponse response) 98 | throws ServletException, IOException { 99 | processRequest(request, response); 100 | } 101 | 102 | /** 103 | * Returns a short description of the servlet. 104 | * 105 | * @return a String containing servlet description 106 | */ 107 | @Override 108 | public String getServletInfo() { 109 | return "Short description"; 110 | }// 111 | 112 | } 113 | -------------------------------------------------------------------------------- /src/main/java/org/cysecurity/cspf/jvl/controller/Register.java: -------------------------------------------------------------------------------- 1 | /* 2 | * To change this license header, choose License Headers in Project Properties. 3 | * To change this template file, choose Tools | Templates 4 | * and open the template in the editor. 5 | */ 6 | 7 | package org.cysecurity.cspf.jvl.controller; 8 | 9 | import java.io.IOException; 10 | import java.io.PrintWriter; 11 | import java.sql.Connection; 12 | import java.sql.ResultSet; 13 | import java.sql.SQLException; 14 | import java.sql.Statement; 15 | import javax.servlet.ServletException; 16 | import javax.servlet.http.HttpServlet; 17 | import javax.servlet.http.HttpServletRequest; 18 | import javax.servlet.http.HttpServletResponse; 19 | import javax.servlet.http.HttpSession; 20 | import org.cysecurity.cspf.jvl.model.DBConnect; 21 | 22 | /** 23 | * 24 | * @author breakthesec 25 | */ 26 | public class Register extends HttpServlet { 27 | 28 | /** 29 | * Processes requests for both HTTP GET and POST 30 | * methods. 31 | * 32 | * @param request servlet request 33 | * @param response servlet response 34 | * @throws ServletException if a servlet-specific error occurs 35 | * @throws IOException if an I/O error occurs 36 | */ 37 | protected void processRequest(HttpServletRequest request, HttpServletResponse response) 38 | throws ServletException, IOException { 39 | response.setContentType("text/html;charset=UTF-8"); 40 | try { 41 | PrintWriter out = response.getWriter(); 42 | Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); 43 | String user=request.getParameter("username"); 44 | String pass=request.getParameter("password"); 45 | String email=request.getParameter("email"); 46 | String about=request.getParameter("About"); 47 | String secret=request.getParameter("secret"); 48 | if(secret==null || secret.equals("")) 49 | { 50 | secret="nosecret"; 51 | } 52 | try 53 | { 54 | if(con!=null && !con.isClosed()) 55 | { 56 | 57 | Statement stmt = con.createStatement(); 58 | stmt.executeUpdate("INSERT into users(username, password, email, About,avatar,privilege,secretquestion,secret) values ('"+user+"','"+pass+"','"+email+"','"+about+"','default.jpg','user',1,'"+secret+"')"); 59 | stmt.executeUpdate("INSERT into UserMessages(recipient, sender, subject, msg) values ('"+user+"','admin','Hi','Hi
    This is admin of this page.
    Welcome to Our Forum')"); 60 | 61 | response.sendRedirect("index.jsp"); 62 | 63 | } 64 | else 65 | { 66 | response.sendRedirect("Register.jsp"); 67 | } 68 | } 69 | catch(SQLException ex) 70 | { 71 | System.out.println("SQLException: " + ex.getMessage()); 72 | System.out.println("SQLState: " + ex.getSQLState()); 73 | System.out.println("VendorError: " + ex.getErrorCode()); 74 | 75 | } 76 | 77 | } 78 | catch(Exception e) 79 | { 80 | 81 | } 82 | } 83 | 84 | // 85 | /** 86 | * Handles the HTTP GET method. 87 | * 88 | * @param request servlet request 89 | * @param response servlet response 90 | * @throws ServletException if a servlet-specific error occurs 91 | * @throws IOException if an I/O error occurs 92 | */ 93 | @Override 94 | protected void doGet(HttpServletRequest request, HttpServletResponse response) 95 | throws ServletException, IOException { 96 | processRequest(request, response); 97 | } 98 | 99 | /** 100 | * Handles the HTTP POST method. 101 | * 102 | * @param request servlet request 103 | * @param response servlet response 104 | * @throws ServletException if a servlet-specific error occurs 105 | * @throws IOException if an I/O error occurs 106 | */ 107 | @Override 108 | protected void doPost(HttpServletRequest request, HttpServletResponse response) 109 | throws ServletException, IOException { 110 | processRequest(request, response); 111 | } 112 | 113 | /** 114 | * Returns a short description of the servlet. 115 | * 116 | * @return a String containing servlet description 117 | */ 118 | @Override 119 | public String getServletInfo() { 120 | return "Short description"; 121 | }// 122 | 123 | } 124 | -------------------------------------------------------------------------------- /src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: -------------------------------------------------------------------------------- 1 | /* 2 | * To change this license header, choose License Headers in Project Properties. 3 | * To change this template file, choose Tools | Templates 4 | * and open the template in the editor. 5 | */ 6 | 7 | package org.cysecurity.cspf.jvl.controller; 8 | 9 | import java.io.IOException; 10 | import java.io.PrintWriter; 11 | import java.sql.Connection; 12 | import java.sql.ResultSet; 13 | import java.sql.Statement; 14 | import javax.servlet.ServletException; 15 | import javax.servlet.http.Cookie; 16 | import javax.servlet.http.HttpServlet; 17 | import javax.servlet.http.HttpServletRequest; 18 | import javax.servlet.http.HttpServletResponse; 19 | import javax.servlet.http.HttpSession; 20 | import org.cysecurity.cspf.jvl.model.DBConnect; 21 | 22 | 23 | 24 | /** 25 | * 26 | * @author breakthesec 27 | */ 28 | public class LoginValidator extends HttpServlet { 29 | 30 | /** 31 | * Processes requests for both HTTP GET and POST 32 | * methods. 33 | * 34 | * @param request servlet request 35 | * @param response servlet response 36 | * @throws ServletException if a servlet-specific error occurs 37 | * @throws IOException if an I/O error occurs 38 | */ 39 | protected void processRequest(HttpServletRequest request, HttpServletResponse response) 40 | throws ServletException, IOException { 41 | 42 | 43 | String user=request.getParameter("username").trim(); 44 | String pass=request.getParameter("password").trim(); 45 | try 46 | { 47 | Connection con=new DBConnect().connect(getServletContext().getRealPath("/WEB-INF/config.properties")); 48 | if(con!=null && !con.isClosed()) 49 | { 50 | ResultSet rs=null; 51 | Statement stmt = con.createStatement(); 52 | rs=stmt.executeQuery("select * from users where username='"+user+"' and password='"+pass+"'"); 53 | if(rs != null && rs.next()){ 54 | HttpSession session=request.getSession(); 55 | session.setAttribute("isLoggedIn", "1"); 56 | session.setAttribute("userid", rs.getString("id")); 57 | session.setAttribute("user", rs.getString("username")); 58 | session.setAttribute("avatar", rs.getString("avatar")); 59 | Cookie privilege=new Cookie("privilege","user"); 60 | response.addCookie(privilege); 61 | if(request.getParameter("RememberMe")!=null) 62 | { 63 | Cookie username=new Cookie("username",user); 64 | Cookie password=new Cookie("password",pass); 65 | response.addCookie(username); 66 | response.addCookie(password); 67 | } 68 | response.sendRedirect(response.encodeURL("ForwardMe?location=/index.jsp")); 69 | } 70 | else 71 | { 72 | response.sendRedirect("ForwardMe?location=/login.jsp&err=Invalid Username or Password"); 73 | } 74 | 75 | } 76 | } 77 | catch(Exception ex) 78 | { 79 | response.sendRedirect("login.jsp?err=something went wrong"); 80 | } 81 | 82 | } 83 | // 84 | /** 85 | * Handles the HTTP GET method. 86 | * 87 | * @param request servlet request 88 | * @param response servlet response 89 | * @throws ServletException if a servlet-specific error occurs 90 | * @throws IOException if an I/O error occurs 91 | */ 92 | @Override 93 | protected void doGet(HttpServletRequest request, HttpServletResponse response) 94 | throws ServletException, IOException { 95 | processRequest(request, response); 96 | } 97 | 98 | /** 99 | * Handles the HTTP POST method. 100 | * 101 | * @param request servlet request 102 | * @param response servlet response 103 | * @throws ServletException if a servlet-specific error occurs 104 | * @throws IOException if an I/O error occurs 105 | */ 106 | @Override 107 | protected void doPost(HttpServletRequest request, HttpServletResponse response) 108 | throws ServletException, IOException { 109 | processRequest(request, response); 110 | } 111 | 112 | /** 113 | * Returns a short description of the servlet. 114 | * 115 | * @return a String containing servlet description 116 | */ 117 | @Override 118 | public String getServletInfo() { 119 | return "Short description"; 120 | }// 121 | 122 | } 123 | -------------------------------------------------------------------------------- /src/main/webapp/style.css: -------------------------------------------------------------------------------- 1 | * { 2 | margin: 0px; 3 | padding: 0px; 4 | } 5 | body { 6 | padding-top: 0px; 7 | background:url("images/bg.png") #000; 8 | color: #FFF; 9 | font-family: verdana, arial, sans-serif; 10 | 11 | text-align: left; 12 | letter-spacing: 1px; 13 | } 14 | a {color: #A92332;font-size: 14px;text-decoration:none;} 15 | a:hover {color: #01a9c0;} 16 | .more{float: right; font-size: 11px; color: #add8f9; font-weight: bold; text-decoration: none;} 17 | .clear{clear:both;} 18 | p{ margin: 20px 0px 20px 0px;line-height: 16px;font-size: 14px;} 19 | #container { 20 | margin-left: auto ; 21 | margin-right: auto ; 22 | width:873px; 23 | } 24 | .success 25 | { 26 | color:green; 27 | } 28 | .fail 29 | { 30 | color:red; 31 | } 32 | #Main-Container{ 33 | width:750px; 34 | border-radius: 15px; 35 | -webkit-border-radius: 15px; 36 | -moz-border-radius: 15px; 37 | box-shadow: 3px 3px 4px #000; 38 | -webkit-box-shadow: 2px 2px 3px #000; 39 | -moz-box-shadow: 2px 2px 3px #000; 40 | 41 | border: solid 4px #FFF; 42 | margin-left: auto ; 43 | margin-right: auto ; 44 | } 45 | #logo { 46 | width:500px; 47 | 48 | text-align:center; 49 | margin-left: auto ; 50 | margin-right: auto ; 51 | } 52 | 53 | #Main{ 54 | width:650px; 55 | height: 500px; 56 | margin-left: auto ; 57 | margin-right: auto ; 58 | } 59 | #Main h2{ 60 | color: #d4e5f2; 61 | font-family: Arial; 62 | font-size: 18px; 63 | padding: 0 0 10px 5px; 64 | } 65 | 66 | #left { 67 | float:left; 68 | width:435px; 69 | margin: 0px 0px 0px 85px; 70 | display:inline; 71 | } 72 | #right { 73 | float:right; 74 | width:258px; 75 | height:auto; 76 | margin: 0px 62px 20px 0px; 77 | display:inline; 78 | } 79 | #right a img{ 80 | margin: 8px 8px 8px 0px; 81 | border: none 0px #FFFFFF; 82 | } 83 | #menu-bar { 84 | width:680px; 85 | margin: 0px 0px 0px 0px; 86 | padding: 6px 6px 0px 6px; 87 | height: 34px; 88 | line-height: 100%; 89 | border-radius: 15px 15px 0px 0px; 90 | -webkit-border-radius: 24px; 91 | -moz-border-radius: 24px; 92 | box-shadow: 2px 2px 3px #666666; 93 | -webkit-box-shadow: 2px 2px 3px #666666; 94 | -moz-box-shadow: 2px 2px 3px #666666; 95 | background: #000000; 96 | border: solid 4px #FFF; 97 | border-bottom:none; 98 | } 99 | #menu-bar li { 100 | margin: 0 2px; 101 | padding: 0 0 2px; 102 | float: left; 103 | position: relative; 104 | list-style: none; 105 | } 106 | #menu-bar a { 107 | font-weight: bold; 108 | font-family: arial; 109 | font-style: normal; 110 | font-size: 12px; 111 | color: #E7E5E5; 112 | text-decoration: none; 113 | display: block; 114 | padding: 8px 15px; 115 | margin: 0; 116 | border-radius: 10px; 117 | -webkit-border-radius: 10px; 118 | -moz-border-radius: 10px; 119 | text-shadow: 2px 2px 3px #000000; 120 | } 121 | #menu-bar .current a, #menu-bar li:hover > a { 122 | background: #027BAB; 123 | filter: progid:DXImageTransform.Microsoft.gradient(startColorstr=#10D5EB, endColorstr=#0883FF); 124 | background: -webkit-gradient(linear, left top, left bottom, from(#10D5EB), to(#0883FF)); 125 | background: -moz-linear-gradient(top, #10D5EB, #0883FF); 126 | color: #000000; 127 | -webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .2); 128 | -moz-box-shadow: 0 1px 1px rgba(0, 0, 0, .2); 129 | box-shadow: 0 1px 1px rgba(0, 0, 0, .2); 130 | text-shadow: 2px 2px 3px #FFFFFF; 131 | } 132 | #menu-bar ul li:hover a, #menu-bar li:hover li a { 133 | background: none; 134 | border: none; 135 | color: #666; 136 | -box-shadow: none; 137 | -webkit-box-shadow: none; 138 | -moz-box-shadow: none; 139 | } 140 | #menu-bar ul a:hover { 141 | background: #0399D4 !important; 142 | filter: progid:DXImageTransform.Microsoft.gradient(startColorstr=#10D5EB, endColorstr=#0883FF); 143 | background: -webkit-gradient(linear, left top, left bottom, from(#10D5EB), to(#0883FF)) !important; 144 | background: -moz-linear-gradient(top, #10D5EB, #0883FF) !important; 145 | color: #000000 !important; 146 | border-radius: 0; 147 | -webkit-border-radius: 0; 148 | -moz-border-radius: 0; 149 | text-shadow: 2px 2px 3px #FFFFFF; 150 | } 151 | #menu-bar ul { 152 | background: #DDDDDD; 153 | filter: progid:DXImageTransform.Microsoft.gradient(startColorstr=#FFFFFF, endColorstr=#CFCFCF); 154 | background: -webkit-gradient(linear, left top, left bottom, from(#FFFFFF), to(#CFCFCF)); 155 | background: -moz-linear-gradient(top, #FFFFFF, #CFCFCF); 156 | display: none; 157 | margin: 0; 158 | padding: 0; 159 | width: 250px; 160 | position: absolute; 161 | top: 30px; 162 | left: 0; 163 | border: solid 1px #B4B4B4; 164 | border-radius: 10px; 165 | -webkit-border-radius: 10px; 166 | -moz-border-radius: 10px; 167 | -webkit-box-shadow: 2px 2px 3px #222222; 168 | -moz-box-shadow: 2px 2px 3px #222222; 169 | box-shadow: 2px 2px 3px #222222; 170 | } 171 | #menu-bar li:hover > ul { 172 | display: block; 173 | } 174 | #menu-bar ul li { 175 | float: none; 176 | margin: 0; 177 | padding: 0; 178 | } 179 | #menu-bar ul a { 180 | padding:5px 0 5px 8px; 181 | color:#424242 !important; 182 | font-size:12px; 183 | font-style:normal; 184 | font-family:arial; 185 | font-weight: normal; 186 | text-shadow: 2px 2px 3px #FFFFFF; 187 | } 188 | #menu-bar ul li:first-child > a { 189 | border-top-left-radius: 10px; 190 | -webkit-border-top-left-radius: 10px; 191 | -moz-border-radius-topleft: 10px; 192 | border-top-right-radius: 10px; 193 | -webkit-border-top-right-radius: 10px; 194 | -moz-border-radius-topright: 10px; 195 | } 196 | #menu-bar ul li:last-child > a { 197 | border-bottom-left-radius: 10px; 198 | -webkit-border-bottom-left-radius: 10px; 199 | -moz-border-radius-bottomleft: 10px; 200 | border-bottom-right-radius: 10px; 201 | -webkit-border-bottom-right-radius: 10px; 202 | -moz-border-radius-bottomright: 10px; 203 | } 204 | #menu-bar:after { 205 | content: "."; 206 | display: block; 207 | clear: both; 208 | visibility: hidden; 209 | line-height: 0; 210 | height: 0; 211 | } 212 | #menu-bar { 213 | display: inline-block; 214 | } 215 | html[xmlns] #menu-bar { 216 | display: block; 217 | } 218 | * html #menu-bar { 219 | height: 1%; 220 | } 221 | #menu-bar ul li ul { 222 | left: 100%; top:0; 223 | background:#FFf; 224 | } 225 | -------------------------------------------------------------------------------- /src/main/webapp/header.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.io.FileInputStream"%> 2 | <%@page import="java.util.Properties"%> 3 | <%@page import="java.io.File"%> 4 | <% 5 | String path = request.getContextPath(); 6 | String configPath=getServletContext().getRealPath("/WEB-INF/config.properties"); 7 | 8 | Properties properties=new Properties(); 9 | properties.load(new FileInputStream(configPath)); 10 | String siteTitle=properties.getProperty("siteTitle"); 11 | %> 12 | 13 | 14 | 15 | 16 | <%=siteTitle%> 17 | 18 | <% out.print(""); %> 19 | 20 | 21 | 22 |
    23 | 24 | 160 | 161 |
    162 |
    163 | 167 |
    168 | 169 | 170 |
    171 | -------------------------------------------------------------------------------- /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: -------------------------------------------------------------------------------- 1 | package org.cysecurity.cspf.jvl.controller; 2 | 3 | /* 4 | * To change this license header, choose License Headers in Project Properties. 5 | * To change this template file, choose Tools | Templates 6 | * and open the template in the editor. 7 | */ 8 | 9 | import java.io.FileInputStream; 10 | import java.io.FileOutputStream; 11 | import java.io.IOException; 12 | import java.io.PrintWriter; 13 | import java.sql.Connection; 14 | import java.sql.DriverManager; 15 | import java.sql.SQLException; 16 | import java.sql.Statement; 17 | import java.util.Properties; 18 | import javax.servlet.ServletException; 19 | import javax.servlet.http.HttpServlet; 20 | import javax.servlet.http.HttpServletRequest; 21 | import javax.servlet.http.HttpServletResponse; 22 | import org.cysecurity.cspf.jvl.model.HashMe; 23 | 24 | /** 25 | * 26 | * @author breakthesec 27 | */ 28 | public class Install extends HttpServlet { 29 | 30 | static String dburl; 31 | static String jdbcdriver; 32 | static String dbuser; 33 | static String dbpass; 34 | static String dbname; 35 | static String siteTitle; 36 | static String adminuser; 37 | static String adminpass; 38 | 39 | /** 40 | * Processes requests for both HTTP GET and POST 41 | * methods. 42 | * 43 | * @param request servlet request 44 | * @param response servlet response 45 | * @throws ServletException if a servlet-specific error occurs 46 | * @throws IOException if an I/O error occurs 47 | */ 48 | 49 | protected void processRequest(HttpServletRequest request, HttpServletResponse response) 50 | throws ServletException, IOException { 51 | String configPath=getServletContext().getRealPath("/WEB-INF/config.properties"); 52 | 53 | //Getting Database Configuration from User Input 54 | dburl = request.getParameter("dburl"); 55 | jdbcdriver = request.getParameter("jdbcdriver"); 56 | dbuser = request.getParameter("dbuser"); 57 | dbpass = request.getParameter("dbpass"); 58 | dbname = request.getParameter("dbname"); 59 | siteTitle= request.getParameter("siteTitle"); 60 | adminuser= request.getParameter("adminuser"); 61 | adminpass= HashMe.hashMe(request.getParameter("adminpass")); 62 | 63 | //Moifying Configuration Properties: 64 | Properties config=new Properties(); 65 | config.load(new FileInputStream(configPath)); 66 | config.setProperty("dburl",dburl); 67 | config.setProperty("jdbcdriver",jdbcdriver); 68 | config.setProperty("dbuser",dbuser); 69 | config.setProperty("dbpass",dbpass); 70 | config.setProperty("dbname",dbname); 71 | config.setProperty("siteTitle",siteTitle); 72 | FileOutputStream fileout = new FileOutputStream(configPath); 73 | config.store(fileout, null); 74 | fileout.close(); 75 | 76 | String i=request.getParameter("setup"); 77 | response.setContentType("text/html;charset=UTF-8"); 78 | try { 79 | PrintWriter out = response.getWriter(); 80 | /* TODO output your page here. You may use following sample code. */ 81 | out.println(""); 82 | out.println(""); 83 | out.println(""); 84 | out.println("Servlet install"); 85 | out.println(""); 86 | out.println(""); 87 | if(setup(i)) 88 | { 89 | out.print("successfully installed"); 90 | } 91 | else 92 | { 93 | out.print("Something went wrong. Unable to install"); 94 | } 95 | out.println(""); 96 | out.println(""); 97 | } 98 | catch(Exception e) 99 | { 100 | 101 | } 102 | } 103 | protected boolean setup(String i) throws IOException 104 | { 105 | 106 | if(i.equals("1")) 107 | { 108 | 109 | try 110 | { 111 | Class.forName(jdbcdriver); 112 | Connection con= DriverManager.getConnection(dburl,dbuser,dbpass); 113 | if(con!=null && !con.isClosed()) 114 | { 115 | //Database creation 116 | Statement stmt = con.createStatement(); 117 | stmt.executeUpdate("DROP DATABASE IF EXISTS "+dbname); 118 | 119 | stmt.executeUpdate("CREATE DATABASE "+dbname); 120 | con.close(); 121 | con= DriverManager.getConnection(dburl+dbname,dbuser,dbpass); 122 | stmt = con.createStatement(); 123 | if(!con.isClosed()) 124 | { 125 | //User Table creation 126 | stmt.executeUpdate("Create table users(ID int NOT NULL AUTO_INCREMENT, username varchar(30),email varchar(60), password varchar(60), about varchar(50),privilege varchar(20),avatar TEXT,secretquestion int,secret varchar(30),primary key (id))"); 127 | stmt.executeUpdate("INSERT into users(username, password, email,About,avatar, privilege,secretquestion,secret) values ('"+adminuser+"','"+adminpass+"','admin@localhost','I am the admin of this application','default.jpg','admin',1,'rocky')"); 128 | stmt.executeUpdate("INSERT into users(username, password, email,About,avatar, privilege,secretquestion,secret) values ('victim','victim','victim@localhost','I am the victim of this application','default.jpg','user',1,'max')"); 129 | stmt.executeUpdate("INSERT into users(username, password, email,About,avatar, privilege,secretquestion,secret) values ('attacker','attacker','attacker@localhost','I am the attacker of this application','default.jpg','user',1,'bella')"); 130 | stmt.executeUpdate("INSERT into users(username, password, email,About,avatar, privilege,secretquestion,secret) values ('NEO','trinity','neo@matrix','I am the NEO','default.jpg','user',1,'sentinel')"); 131 | stmt.executeUpdate("INSERT into users(username, password, email,About,avatar, privilege,secretquestion,secret) values ('trinity','NEO','trinity@matrix','it is Trinity','default.jpg','user',1,'sentinel')"); 132 | stmt.executeUpdate("INSERT into users(username, password, email,About,avatar, privilege,secretquestion,secret) values ('Anderson','java','anderson@1999','I am computer programmer','default.jpg','user',1,'C++')"); 133 | 134 | //Posts table creation 135 | stmt.executeUpdate("create table posts(postid int NOT NULL AUTO_INCREMENT, content TEXT,title varchar(100), user varchar(30), primary key (postid))"); 136 | stmt.executeUpdate("INSERT into posts(content,title, user) values ('Feel free to ask any questions about Java Vulnerable Lab','First Post', 'admin')"); 137 | stmt.executeUpdate("INSERT into posts(content,title, user) values ('Hello Guys, this is victim','Second Post', 'victim')"); 138 | stmt.executeUpdate("INSERT into posts(content,title, user) values ('Hello This is attacker','Third Post', 'attacker')"); 139 | stmt.executeUpdate("INSERT into posts(content,title, user) values ('Trinity! Help!','Help','neo')"); 140 | 141 | 142 | stmt.executeUpdate("create table tdata(id int, page varchar(30))"); 143 | stmt.executeUpdate("Insert into tdata values(1,'ext1.html')"); 144 | stmt.executeUpdate("Insert into tdata values(2,'ext2.html')"); 145 | 146 | //Messages Table Creation 147 | stmt.executeUpdate("Create table Messages(msgid int NOT NULL AUTO_INCREMENT,name varchar(30),email varchar(60), msg varchar(500),primary key (msgid))"); 148 | stmt.executeUpdate("INSERT into Messages(name,email, msg) values ('TestUser','Test@localhost', 'Hi admin, how are you')"); 149 | 150 | //User Messages Table Creation recipient, sender, email, msg 151 | stmt.executeUpdate("Create table UserMessages(msgid int NOT NULL AUTO_INCREMENT,recipient varchar(30),sender varchar(30),subject varchar(60), msg varchar(500),primary key (msgid))"); 152 | stmt.executeUpdate("INSERT into UserMessages(recipient, sender, subject, msg) values ('attacker','admin','Hi','Hi
    This is admin of this page.
    Welcome to Our Forum')"); 153 | stmt.executeUpdate("INSERT into UserMessages(recipient, sender, subject, msg) values ('victim','admin','Hi','Hi
    This is admin of this page.
    Welcome to Our Forum')"); 154 | 155 | 156 | //Credit Card Table Creation 157 | stmt.executeUpdate("Create table cards(id int,cardno varchar(80), cvv varchar(6),expirydate varchar(15))"); 158 | stmt.executeUpdate("INSERT into cards(id,cardno, cvv,expirydate) values ('1','4000123456789010','123','12/2014')"); 159 | stmt.executeUpdate("INSERT into cards(id,cardno, cvv,expirydate) values ('2','4111111111111111 ','321','7/2015')"); 160 | stmt.executeUpdate("INSERT into cards(id,cardno, cvv,expirydate) values ('3','5111111111111118','111','1/2017')"); 161 | 162 | //Files List Table Creation 163 | stmt.executeUpdate("Create table FilesList(fileid int NOT NULL AUTO_INCREMENT,path text,primary key (fileid))"); 164 | stmt.executeUpdate("INSERT into FilesList(path) values ('/docs/doc1.pdf')"); 165 | stmt.executeUpdate("INSERT into FilesList(path) values ('/docs/exampledoc.pdf')"); 166 | 167 | return true; 168 | } 169 | return false; 170 | } 171 | } 172 | catch(SQLException ex) 173 | { 174 | System.out.println("SQLException: " + ex.getMessage()); 175 | System.out.println("SQLState: " + ex.getSQLState()); 176 | System.out.println("VendorError: " + ex.getErrorCode()); 177 | } 178 | catch(ClassNotFoundException ex) 179 | { 180 | System.out.print("JDBC Driver Missing:
    "+ex); 181 | } 182 | 183 | } 184 | return false; 185 | } 186 | 187 | // 188 | /** 189 | * Handles the HTTP GET method. 190 | * 191 | * @param request servlet request 192 | * @param response servlet response 193 | * @throws ServletException if a servlet-specific error occurs 194 | * @throws IOException if an I/O error occurs 195 | */ 196 | @Override 197 | protected void doGet(HttpServletRequest request, HttpServletResponse response) 198 | throws ServletException, IOException { 199 | processRequest(request, response); 200 | } 201 | 202 | /** 203 | * Handles the HTTP POST method. 204 | * 205 | * @param request servlet request 206 | * @param response servlet response 207 | * @throws ServletException if a servlet-specific error occurs 208 | * @throws IOException if an I/O error occurs 209 | */ 210 | @Override 211 | protected void doPost(HttpServletRequest request, HttpServletResponse response) 212 | throws ServletException, IOException { 213 | processRequest(request, response); 214 | } 215 | 216 | /** 217 | * Returns a short description of the servlet. 218 | * 219 | * @return a String containing servlet description 220 | */ 221 | @Override 222 | public String getServletInfo() { 223 | return "Short description"; 224 | }// 225 | 226 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | {description} 294 | Copyright (C) {year} {fullname} 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | {signature of Ty Coon}, 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. 340 | 341 | --------------------------------------------------------------------------------