The RDPS Super Vulnerable Java Application is just that -- a super vulnerable java application created for the benefit of all to see a variety of common, often "complex", vulnerabilities. This software was created as part of the Roniel and DaRon Podcast Show (https://www.youtube.com/channel/UCbj1JFcSJeTuf3qf9GPRemA) so that we could discuss and show a number of vulnerabilities that we came across frequently in a more realistic way than what you will see with the many other tools online. To see example exploitation, please watch our podcast.
Please remember that this application is intended to be highly vulnerable to a number of things. Be careful where you run it, limit who can access it (the Tomcat server should only listen on localhost and only ever on your personal machine). We are not responsible if you can't take proper care of your things, leaving your copy of it hanging out in the wind for anyone and everyone to steal your stuff or horribly compromise your machine. We recommend that you run this in a virtual machine (VM) that is secured and that has nothing sensitive on it and that has no connectivity to the internet. Failure to properly secure the system running this and the instance of it will likely result in a bad day for you. Like casual carnal relations without proper protections, you are only putting yourself in a position that you will come to regret someday. Consider yourself warned, but encouraged to play ;-)
Apache Maven 3.6 or above npm 7.11 or above Java 11 or above Tomcat 9.0 or above
The RDPS SVJA is composed of a Java struts 2 application running react. It is built by simply running: mvn clean package
This creates a WAR in target -- svja.war. Simply place the WAR in your tomcat webapps folder. In a default Tomcat build go to http://127.0.0.1:8080/svja to access the application.
If you are running Tomcat 10 or above, please add <Loader jakartaConverter="TOMCAT" /> to your Tomcat context.xml config file.
For those who want to use it to get the ball rolling, the root (http://127.0.0.1:8080/svja) now features Swagger UI and a basic OpenAPI specification (http://127.0.0.1:8080/svja/specification.yaml) that you can use. Note that the specification, and thus Swagger UI, only scratches the surface (that's what insecure deserialisation, etc., is all about, right?).
Below are some of the major vulnerabilities in the system, by action.
- /api/authenticate
- Cross-site request forgery (CSRF)
- Denial of service (DOS)
- Insecure deserialisation (OGNL, Struts, JSON -- no bytecode)
- Arbitrary object creation
- Arbitrary method call
- Session hijacking
- Session bypass
- Authentication bypass
- Log injection
- Sensitive data in URL
- /api/authenticate/federated
- Cross-site request forgery (CSRF)
- Denial of service (DOS)
- Insecure deserialisation (OGNL, Struts, JSON -- no bytecode)
- Arbitrary object creation
- Arbitrary method call
- Session hijacking
- Session bypass
- Authentication bypass
- Log injection
- Regular expression injection
- Authentication bypass
- Denial of service
- /api/files
- Cross-site request forgery (CSRF)
- Cross-site scripting (XSS) via encoding
- Denial of service (DOS)
- Insecure deserialisation (OGNL, Struts, JSON -- no bytecode)
- Path traversal (read-only)
- Arbitrary object creation
- Arbitrary method call
- Session hijacking
- Session bypass
- Authentication bypass
- Insecure direct object reference
- Insecure serialisation
- Personally identifiable information (PII) bleed
- Sensitive information bleed
- Log injection
- Race condition
- Time of check, time of use (TOCTOU)
- Sensitive data in URL
- /api/projects
- Comma Seperated Values (CSV) injection
- Arbitrary CSV injection
- Client-side attacks
- Cross-site request forgery (CSRF)
- Cross-site scripting (XSS) via encoding Denial of service (DOS)
- Insecure deserialisation (OGNL, Struts, JSON -- no bytecode)
- Path traversal (read-only)
- Arbitrary object creation
- Arbitrary method call
- Session hijacking
- Session bypass
- Authentication bypass
- Insecure direct object reference
- Insecure serialisation
- Personally identifiable information (PII) bleed
- Sensitive information bleed
- Log injection
- Sensitive data in URL
- XLSX injection
- Arbitrary XML injection
- Client-side attacks
- Comma Seperated Values (CSV) injection
- /api/reflect
- Usage reflection
- Insecure deserialisation (OGNL, Struts, JSON -- no bytecode)
- Path traversal (read-only)
- Arbitrary object creation
- Arbitrary method call
- Session hijacking
- Session bypass
- Authentication bypass
- Insecure direct object reference
- Insecure serialisation
- Personally identifiable information (PII) bleed
- Sensitive information bleed
- Log injection
- /api/supersecret
- Weak cipher mode
- Padding oracle
- Usage reflection
- Insecure deserialisation (OGNL, Struts, JSON)
- Path traversal (read-only)
- Arbitrary object creation
- Arbitrary method call
- Session hijacking
- Session bypass
- Authentication bypass
- Insecure direct object reference
- Insecure serialisation
- Personally identifiable information (PII) bleed
- Sensitive information bleed
- Log injection
admin:admin (application administrator account)
bill:baker (privileged user account)
bob:barker (basic, read-only user account)
/api/authenticate?user.username=admin&user.password=admin
/api/authenticate?user.username=bill&user.password=baker
/api/authenticate?user.username=bob&user.password=barker
After authentication, hit any action you please using either JSON or Struts
GET /svja/api/authenticate?user.username=bill&user.password=baker HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Host: localhost
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 0
DNT: 1
Connection: close
Cache-Control: max-age=0
GET /svja/api/authenticate HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Host: localhost
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 61
DNT: 1
Connection: close
Cache-Control: max-age=0
{
"user": {
"username": "bill",
"password": "baker"
}
}
GET /svja/api/authenticate/federated?user.username=bill%40rdps.local&usernameTranslationRegex=%2F%40rdps%5B.%5Dlocal%2F%2F HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Host: localhost
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 0
DNT: 1
Connection: close
Cache-Control: max-age=0
GET /svja/api/authenticate/federated HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Host: localhost
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 61
DNT: 1
Connection: close
Cache-Control: max-age=0
{
"user": {
"username": "[email protected]"
},
"usernameTranslationRegex": "/@rdps[.]local//"
}
Remember to change the svjatoken
GET /svja/api/projects?projectId=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: svjatoken=RaMu5vhFBgL8goV6Ja1ffLnpmcixNuAL7fUP;
Cache-Control: max-age=0
Remember to change the svjatoken
GET /svja/api/projects HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 19
DNT: 1
Connection: close
Cookie: svjatoken=RaMu5vhFBgL8goV6Ja1ffLnpmcixNuAL7fUP;
Cache-Control: max-age=0
{
projectId:1
}
This is a work-in-progress and we have many more vulnerabilities and things planned (to include a super vulnerable frontend and other super vulnerable applications) -- check back with us every couple of months and watch the Roniel and DaRon Podcast Show for updates, sample exploitation, and other ideas. We also encourage you to try to figure out how to mitigate or fix the vulnerabilities... breaking things is easy... it's mitigating, fixing, and securing that is hard. Good luck and happy hunting!