Skip to content

Latest commit

 

History

History
197 lines (126 loc) · 8.3 KB

README.md

File metadata and controls

197 lines (126 loc) · 8.3 KB

OWASP Java - Vulnerability Showcase

Serious warning

A seriously flawed Java project for teaching OWASP Top 10 - 2017 concepts.

DO NOT USE ANY PART OF THIS CODE IN PRODUCTION.

Getting Started

These instructions will get you a copy of the project up and running on your local machine for development and testing purposes.

Prerequisites

You'll need:

JDK 11

Install JDK, and configure environment variables JAVA_HOME and PATH properly. Some guidelines are provided in this Stackoverflow post.

Open a command prompt, and make sure everything works smoothly:

Setting up JDK-11

MySQL Community Server 8

Unzip MySQL, and go to the bin directory. Execute the following command (not recommended for production environments):

mysqld --initialize-insecure

This command initializes the data directory, and creates a 'root'@'localhost' superuser account with empty password.

To install the service on Windows machines, run:

mysqld --install

Finally, to start the service, run:

sc start mysql

To check whether the installation was successful, issue the command mysql -uroot: MySQL console

Type exit, and press Enter to get out of MySQL console.

We need to create our sample database, and populate it with sample data. The SQL file is called testdb.sql. Download it to MySQL bin directory, and from there execute the following command:

mysql -uroot < testdb.sql

If everything goes smoothly, you can issue the commands and see the results as shown below:

MySQL - check database creation and data population

Finally, change the root password to 123456, as empty passwords will not be accepted by Payara Server (next step). Notice that the password itself, as well as the following method for changing the password, are totally insecure:

mysqladmin --user=root password "123456"

Payara Server

Download and extract Payara Server, as well as MySQL Connector/J. I extracted the latter to C:\tmp\mysql-connector-java-8.0.18.jar.

Make sure you followed the instructions for installing and configuring JDK-11. Start Payara Server using the following command:

asadmin start-domain

Next, install MySQL Connector/J:

asadmin add-library C:\tmp\mysql-connector-java-8.0.18.jar

Here's a snapshot of how things should look like:

Payara - starting server and installing MySQL Connector/J

Open Payara Web Console, and navigate to Resources → JDBC → JDBC Connection Pools. Click the New buttton.

Payara - creating new connection pool

For Step 1, fill in the information exactly as follows:

Payara - connection pool - step 1 of 2

For Step 2, scroll down until you see the Additional Properties:

Payara - connection pool - step 2 of 2

You have to set the following properties (sorted alphabetically):

  • allowPublicKeyRetrieval – Whether the client is allowed to automatically request the public key from the server. Set to true. (Not recommended in production environments)
  • DatabaseName – The name of the database you want to connect to. In this case, testdb.
  • Password: The password for the specified user. Here, it's 123456.
  • ServerName: The location of the MySQL server. In this case localhost.
  • sslMode: Whether SSL is used for connecting to MySQL server. Set it to DISABLED. (Not recommended in production environments)
  • URL and Url: The JDBC URL to be used. Here, set it to jdbc:mysql://localhost:3306/testdb.
  • User: The username for connecting to the database. Here, it's root.

Hit the Finish button. Click the newly created connection pool. In the General tab, click the Ping button. If everything goes right, you should see the following:

Payara - connection pool - Ping

Similarly, create another connection pool called MySQL_readonly_Pool. The Step 1 is the same as the previous connection pool. For Step 2, set the Additional Properties as follows:

  • allowPublicKeyRetrieval: true.
  • DatabaseName: testdb.
  • Password: MyVeryLongPassphrase.
  • ServerName: localhost.
  • sslMode: DISABLED.
  • URL: jdbc:mysql://localhost:3306/testdb.
  • Url: jdbc:mysql://localhost:3306/testdb.
  • User: readonly.

We need to set up the JDBC resources. Go to Resources → JDBC → JDBC Resources, and click New. Fill in the form as follows:

  • JNDI Name: jdbc/MySQL_root_DataSource
  • Connection Pool: MySQL_root_Pool

Payara - JDBC Resources

Similarly, do this for the second connection pool:

  • JNDI Name: jdbc/MySQL_readonly_DataSource
  • Connection Pool: MySQL_readonly_Pool

Finally, issue the following command to stop the Payara Server.

asadmin stop-domain

This is done since IntelliJ IDEA automatically starts the server.

IntelliJ IDEA

Open the project in IntelliJ IDEA. It notifies you that Web framework is detected:

Frameworks Detected

Click Configure to open the Setup Frameworks window. Then, simply click OK:

Setup Frameworks

Select Run → Edit Configurations.... Open Templates → GlassFish Server → Local. Click Configure:

Edit GlassFish template

Select GlassFish Home. If selected correctly, IntelliJ will automatically detect the GlassFish Version:

GlassFish Home

Click OK. From the Server Domain drop-down box, select domain1.

Server Domain

Click Apply. You now have a proper GlassFish template which you can use across multiple projects. But for each project, you need to configure the "artifact" to be deploed. To this end, click the + at the top-left, and select GlassFish Server → Local:

New Configuration

In the bottom, IntelliJ warns you that No artifacts configured. Simply click on the Fix button.

No artifacts configured

Then, in the Artifacts window, click on the + sign, and choose Web Application Exploded → From Modules

New Artifact

Pick the only available module, i.e., OWASP-JAVA, and click OK.

Select modules

Click OK to return to the Run/Debug Configurations. At the bottom, you'll see one more warning: Debug settings are invalid or not suitable for local debugging. Click the Fix button, and IntelliJ will take care of that for you.

Fix debug settings

You can now run the project. IntelliJ automatically opens your default browser, and navigates to http://localhost:8080/OWASP_Java_war_exploded/:

Login Page

Enter the following credentials:

  • Username: kambiz
  • Password: 1

If everything works correctly, you'll be redirected to the user home page:

Home Page

Otherwise, you might need to look at GlassFish logs, as reported by IntelliJ, to see what went wrong.

GlassFish logs

By the way, I use the Grep Console plugin for analyzing logs easier.