SCJ - Writing Secure Code in Java

Do you want to learn how to hack Java applications and how to make it hacker-proof? This is the course for you. SCJ is 1 or 2 days live course, depending on the chosen topics.

Java is one of the most common object-oriented programming languages used in enterprise and open source projects. Spring is the most popular application development framework for enterprise Java. Millions of developers around the world use Spring Framework to create high-performing, easily testable, and reusable code.

Multiple CVEs have affected Java software, for example, Log4Shell (CVE-2021-44228) or the most recent Spring4Shell (or SpingShell), confirming that secure coding requires a combination of processes, tools, and awareness.

During this course, we will look into multiple web vulnerabilities and we will dissect known CVEs such as Log4Shell and SpringShell. We will also look into the security features of Spring and how to correctly use them to avoid some vulnerabilities. At the end of the course, we will deep dive into SCA and SAST tools to detect vulnerabilities in our "homemade" vulnerable apps.

SQL injection example from our labs

public Product getProduct(int id) {
	Connection conn = DatabaseConnection.getConnection();
	Statement stmt = null;
	try {
		stmt = conn.createStatement();
		String sql;
		sql = "SELECT * FROM product WHERE `product_id` = " + id;
		ResultSet rs = stmt.executeQuery(sql);

		while ( {
			return new Product(
	} catch (Exception e) {
	} finally {
	return null;


  • Knowledge of Java and Spring Framework

  • Interest in security

Target audience

  • Security Engineers

  • Security Champions

  • DevOps

  • Developers

Tools used

  • Any IDE

  • Docker

  • Burp Suite Community edition

  • Semgrep

  • Coffee or Tea ☕️



The hacking mindset

How attackers will look at your Java applications

Secure coding introduction

Secure coding principles


OWASP Top 10 2021

OWASP ASVS and security requirements

CVSS: how to rate vulnerabilities

Spring Security Framework

AuthN and AuthZ in Spring

CSRF protection

Password encoding in Spring

Dissecting (in)famous Java CVE

Log4j to Log4Shell (CVE -2021-44228)

Spring4Shell (CVE-2022-22965)

AuthN and AuthZ attacks

LAB: IDOR (Insecure Direct Object Reference)

LAB: Path Traversal

LAB: CSRF (Cross-Site Request Forgery)

Spring actuators exploitation

LAB: LDAP injection and authentication bypass

Attacking a Spring web application

LAB: XSS (dom, reflected, and stored)

Spring Security Headers and CSP

Client side Open redirect

Server Side Injections in Java

LAB: SQL injections

LAB: Command injection

Abusing Runtime.getRuntime().exec(cmd)

LAB: Code and Object Injection

Expliting eval()

Deserialization to RCE

LAB: XML Injections

From XML to SSRF wiht xinclude

Exploiting XXE and XML Bomb (million laugh attacks)

LAB: Server-Side Request Forgery

Basics of SSRF

Exploiting SSRF using DNS localhost resolution

LAB: NoSQL injections

LAB: Local and remote file inclusion

LAB: Server Side Template Injections

LAB: Exploiting FreeMaker templates

LAB: Exploiting Velocity templates

LAB: Expression Language (EL) injections

Vulnerable and Outdated Dependencies

Dependencies as graph

The importance of SCA (Static Component Analysis)

LAB: Detecting known vulnerabilities using Snyk

Integrate SCA in the CI/CD pipeline


Detecting vulnerabilities in Java using SCA

Scanning your code using Semgrep

Semgrep basics

LAB: Semgrep for Java: How to write rules

Semgrep automation


Davide Cioccia

As the Founder and Principal Security Architect @ DCODX, I focus on hacking and securing web and mobile applications. I'm active in the security community as OWASP MSTG contributor, DevSecCon Chapter Lead for the Netherlands and speaker at major conferences such as BlackHat, OWASP AppSec and DevSecCon, where I talk about DevSecOps, secure coding and OSINT techiniques. Check my full profile on LinkedIn or send me an email at if you want to know more about me and the trainings I teach.

Follow me on:




Why should you attend this course?

This course will teach you the inside out of exploiting and securing Java applications via real-life examples. If you are a Java developer this is the course for you.

More info? Contact us at

Last updated