SCJ - Writing Secure Code in Java
Do you want to learn how to hack Java applications and how to make it hacker-proof? This is the course for you. SCJ is 1 or 2 days live course, depending on the chosen topics.
Last updated
Do you want to learn how to hack Java applications and how to make it hacker-proof? This is the course for you. SCJ is 1 or 2 days live course, depending on the chosen topics.
Last updated
PENETRATION TESTS
PentestsLET'S MEET
Book 15 minutes with one of our experts@ dcodx.com
Java is one of the most common object-oriented programming languages used in enterprise and open source projects. Spring is the most popular application development framework for enterprise Java. Millions of developers around the world use Spring Framework to create high-performing, easily testable, and reusable code.
Multiple CVEs have affected Java software, for example, Log4Shell (CVE-2021-44228) or the most recent Spring4Shell (or SpingShell), confirming that secure coding requires a combination of processes, tools, and awareness.
During this course, we will look into multiple web vulnerabilities and we will dissect known CVEs such as Log4Shell and SpringShell. We will also look into the security features of Spring and how to correctly use them to avoid some vulnerabilities. At the end of the course, we will deep dive into SCA and SAST tools to detect vulnerabilities in our "homemade" vulnerable apps.
SQL injection example from our labs
Knowledge of Java and Spring Framework
Interest in security
Security Engineers
Security Champions
DevOps
Developers
Any IDE
Docker
Burp Suite Community edition
Semgrep
Coffee or Tea ☕️
Module | Topic | Details |
---|---|---|
The hacking mindset | ||
How attackers will look at your Java applications | ||
Secure coding introduction | ||
Secure coding principles | ||
From SDLC to SSDLC | ||
OWASP Top 10 2021 | ||
OWASP ASVS and security requirements | ||
CVSS: how to rate vulnerabilities | ||
Spring Security Framework | ||
AuthN and AuthZ in Spring | ||
CSRF protection | ||
Password encoding in Spring | ||
Dissecting (in)famous Java CVE | ||
Log4j to Log4Shell (CVE -2021-44228) | ||
Spring4Shell (CVE-2022-22965) | ||
AuthN and AuthZ attacks | ||
LAB: IDOR (Insecure Direct Object Reference) | ||
LAB: Path Traversal | ||
LAB: CSRF (Cross-Site Request Forgery) | ||
Spring actuators exploitation | ||
LAB: LDAP injection and authentication bypass | ||
Attacking a Spring web application | ||
LAB: XSS (dom, reflected, and stored) | ||
Spring Security Headers and CSP | ||
Client side Open redirect | ||
Server Side Injections in Java | ||
LAB: SQL injections | ||
LAB: Command injection | ||
Abusing | ||
LAB: Code and Object Injection | ||
Expliting | ||
Deserialization to RCE | ||
LAB: XML Injections | ||
From XML to SSRF wiht | ||
Exploiting XXE and XML Bomb (million laugh attacks) | ||
LAB: Server-Side Request Forgery | ||
Basics of SSRF | ||
Exploiting SSRF using DNS localhost resolution | ||
LAB: NoSQL injections | ||
LAB: Local and remote file inclusion | ||
LAB: Server Side Template Injections | ||
LAB: Exploiting | ||
LAB: Exploiting | ||
LAB: Expression Language (EL) injections | ||
Vulnerable and Outdated Dependencies | ||
Dependencies as graph | ||
The importance of SCA (Static Component Analysis) | ||
LAB: Detecting known vulnerabilities using Snyk | ||
Integrate SCA in the CI/CD pipeline | ||
| ||
Detecting vulnerabilities in Java using SCA | ||
Scanning your code using Semgrep | ||
Semgrep basics | ||
LAB: Semgrep for Java: How to write rules | ||
Semgrep automation |
This course will teach you the inside out of exploiting and securing Java applications via real-life examples. If you are a Java developer this is the course for you.