# SCJ - Writing Secure Code in Java ![](https://3622500909-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LpsUccoL9AvW9-dz-sO%2Fuploads%2FtNmuWNEFdTYtzjUcrArC%2Fimage.png?alt=media\&token=6f2b1866-9ad7-4eb6-95d1-989105f692c5) Java is one of the most common object-oriented programming languages used in enterprise and open source projects. Spring is the most popular application development framework for enterprise Java. Millions of developers around the world use Spring Framework to create high-performing, easily testable, and reusable code. Multiple CVEs have affected Java software, for example, [Log4Shell](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-44228) (CVE-2021-44228) or the most recent [Spring4Shell](https://www.springcloud.io/post/2022-03/spring-framework-rce-early-announcement/) (or SpingShell), confirming that secure coding requires a combination of processes, tools, and awareness. During this course, we will look into multiple web vulnerabilities and we will dissect known CVEs such as Log4Shell and SpringShell. We will also look into the security features of Spring and how to correctly use them to avoid some vulnerabilities. At the end of the course, we will deep dive into SCA and SAST tools to detect vulnerabilities in our "homemade" vulnerable apps. **SQL injection example from our labs** ```java public Product getProduct(int id) { Connection conn = DatabaseConnection.getConnection(); Statement stmt = null; try { stmt = conn.createStatement(); String sql; sql = "SELECT * FROM product WHERE `product_id` = " + id; ResultSet rs = stmt.executeQuery(sql); while (rs.next()) { return new Product( rs.getInt("product_id"), rs.getString("name"), rs.getString("description"), rs.getString("image_url"), rs.getDouble("price"), rs.getDouble("star")); } } catch (Exception e) { System.err.println(e.getMessage()); e.printStackTrace(); } finally { DatabaseConnection.releaseConnection(conn); } return null; } ``` ## Prerequisites * Knowledge of Java and Spring Framework * Interest in security ## Target audience * Security Engineers * Security Champions * DevOps * Developers ## Tools used * Any IDE * Docker * Burp Suite Community edition * Semgrep * Coffee or Tea ☕️ ## Syllabus
ModuleTopicDetails
The hacking mindset
How attackers will look at your Java applications
Secure coding introduction
Secure coding principles
From SDLC to SSDLC
OWASP Top 10 2021
OWASP ASVS and security requirements
CVSS: how to rate vulnerabilities
Spring Security Framework
AuthN and AuthZ in Spring
CSRF protection
Password encoding in Spring
Dissecting (in)famous Java CVE
Log4j to Log4Shell (CVE -2021-44228)
Spring4Shell (CVE-2022-22965)
AuthN and AuthZ attacks
LAB: IDOR (Insecure Direct Object Reference)
LAB: Path Traversal
LAB: CSRF (Cross-Site Request Forgery)
Spring actuators exploitation
LAB: LDAP injection and authentication bypass
Attacking a Spring web application
LAB: XSS (dom, reflected, and stored)
Spring Security Headers and CSP
Client side Open redirect
Server Side Injections in Java
LAB: SQL injections
LAB: Command injection
Abusing Runtime.getRuntime().exec(cmd)
LAB: Code and Object Injection
Expliting eval()
Deserialization to RCE
LAB: XML Injections
From XML to SSRF wiht xinclude
Exploiting XXE and XML Bomb (million laugh attacks)
LAB: Server-Side Request Forgery
Basics of SSRF
Exploiting SSRF using DNS localhost resolution
LAB: NoSQL injections
LAB: Local and remote file inclusion
LAB: Server Side Template Injections
LAB: Exploiting FreeMaker templates
LAB: Exploiting Velocity templates
LAB: Expression Language (EL) injections
Vulnerable and Outdated Dependencies
Dependencies as graph
The importance of SCA (Static Component Analysis)
LAB: Detecting known vulnerabilities using Snyk
Integrate SCA in the CI/CD pipeline
maven
Detecting vulnerabilities in Java using SCA
Scanning your code using Semgrep
Semgrep basics
LAB: Semgrep for Java: How to write rules
Semgrep automation
## **Trainers**
Davide Cioccia As the Founder and Principal Security Architect @ DCODX, I focus on hacking and securing web and mobile applications. I'm active in the security community as OWASP [MSTG](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/README.md) contributor, [DevSecCon](https://www.devseccon.com/events) Chapter Lead for the Netherlands and speaker at major conferences such as BlackHat, OWASP AppSec and DevSecCon, where I talk about DevSecOps, secure coding and OSINT techiniques. Check my full profile on LinkedIn or send me an email at if you want to know more about me and the trainings I teach. Follow me on: Twitter: GitHub: LinkedIn:
## Why should you attend this course? This course will teach you the inside out of exploiting and securing Java applications via real-life examples. If you are a Java developer this is the course for you. {% hint style="info" %} ### More info? Contact us at {% endhint %}