This is an intentionally vulnerable Spring Boot application (Java + Kotlin) designed for testing security remediation tools and learning about common web application vulnerabilities.
This application is designed to:
- Test automated security scanning and remediation tools
- Demonstrate common OWASP Top 10 vulnerabilities in Java/Spring Boot
- Provide a realistic codebase with 200+ dependency vulnerabilities
- Showcase different vulnerability remediation scenarios across the Java ecosystem
- Spring Boot 2.1.6 (from 2019) with extensive vulnerable dependencies
- Mixed Java and Kotlin codebase
- User authentication (with vulnerabilities)
- File upload/download
- Database operations (simulated)
- External API integration
- Search functionality
- Admin operations
- Multiple data parsers (XML, YAML, JSON)
| Vulnerability | CWE | File | Line | Severity |
|---|---|---|---|---|
| Hardcoded Secrets | CWE-798 | VulnerableApplication.java | 19-22 | HIGH |
| Insecure CORS | CWE-942 | VulnerableApplication.java | 32-41 | MEDIUM |
| SQL Injection | CWE-89 | VulnerableController.java | 81-96 | CRITICAL |
| Command Injection | CWE-78 | VulnerableController.java | 99-117 | CRITICAL |
| Path Traversal | CWE-22 | VulnerableController.java | 120-132 | HIGH |
| Unrestricted File Upload | CWE-434 | VulnerableController.java | 135-150 | HIGH |
| Cross-Site Scripting (XSS) | CWE-79 | VulnerableController.java | 153-157 | HIGH |
| Server-Side Request Forgery (SSRF) | CWE-918 | VulnerableController.java | 160-181 | HIGH |
| Remote Code Execution | CWE-94 | VulnerableController.java | 184-196 | CRITICAL |
| Insecure Deserialization | CWE-502 | VulnerableController.java | 199-212 | CRITICAL |
| Missing Authentication | CWE-862 | VulnerableController.java | 215-223 | CRITICAL |
| Insecure Direct Object Reference | CWE-639 | VulnerableController.java | 226-238 | MEDIUM |
| XML External Entity (XXE) | CWE-611 | VulnerableController.java | 241-256 | HIGH |
| YAML Deserialization | CWE-502 | VulnerableController.java | 259-271 | HIGH |
| Mass Assignment | CWE-915 | VulnerableController.java | 274-286 | MEDIUM |
| Sensitive Data Exposure | CWE-200 | VulnerableController.java | 289-301 | HIGH |
| Insecure Randomness | CWE-330 | VulnerableController.java | 304-315 | MEDIUM |
| Open Redirect | CWE-601 | VulnerableController.java | 318-322 | MEDIUM |
| Information Disclosure | CWE-209 | VulnerableController.java | 325-335 | MEDIUM |
| Weak Cryptography (MD5) | CWE-327 | VulnerableController.java | 338-355 | HIGH |
| Debug Mode Enabled | CWE-489 | application.properties | 6-8 | MEDIUM |
| Exposed Secrets in Config | CWE-798 | application.properties | 11-62 | CRITICAL |
This application uses 70+ direct dependencies from 2017-2019, which pull in 300+ total dependencies when including transitive dependencies, resulting in 200+ known vulnerabilities.
High-CVE Packages:
spring-boot-starter-parent:2.1.6- Multiple Spring vulnerabilitiesjackson-databind:2.9.9- Deserialization RCE (30+ CVEs)log4j:1.2.17- Multiple critical vulnerabilitiescommons-collections:3.2.1- Deserialization RCE (CVE-2015-7501)commons-collections4:4.1- Various security issuescommons-beanutils:1.9.3- Deserialization vulnerabilitiescommons-fileupload:1.3.3- DoS, path traversal (5+ CVEs)commons-compress:1.18- Zip slip, DoS (10+ CVEs)mysql-connector-java:5.1.46- JDBC vulnerabilitiesh2:1.4.197- RCE vulnerabilitieshttpclient:4.5.6- Multiple HTTP issuesjjwt:0.9.1- JWT vulnerabilitiesxerces:2.11.0- XXE vulnerabilitiesdom4j:1.6.1- XXE injectionsnakeyaml:1.23- Deserialization RCEvelocity:1.7- Template injectionfreemarker:2.3.28- Template injectionkryo:4.0.2- Deserialization issuesguava:25.1-jre- DoS vulnerabilitiespoi:3.17- XXE, zip slip (10+ CVEs)itextpdf:5.5.13- XSS, XXE issuesaws-java-sdk-s3:1.11.327- AWS SDK vulnerabilitiesstruts2-core:2.5.20- RCE vulnerabilitieshibernate-core:5.3.10- SQL injection issuesnetty-all:4.1.36- HTTP smuggling (10+ CVEs)elasticsearch:6.8.1- Multiple security issueskafka-clients:2.2.1- Security vulnerabilitiesbouncycastle:1.61- Cryptographic issuesjsoup:1.11.3- XSS vulnerabilities
Expected Total: 200-250 vulnerabilities from dependencies (Maven build required to verify exact count)
This application includes various remediation scenarios:
jackson-databind 2.9.9 → 2.15.xcommons-fileupload 1.3.3 → 1.5guava 25.1-jre → 32.x
- Spring Boot 2.1.6 pulls in hundreds of vulnerable transitive dependencies
- Upgrading Spring Boot to 3.x fixes many transitive issues
- Multiple packages depend on same vulnerable Jackson, Commons, or Netty versions
- Require coordinated upgrades or dependency management
- Use Maven
<dependencyManagement>to override transitive versions - Maven exclusions for problematic dependencies
- May require
mvn dependency:treeanalysis
- Spring Boot 2.x → 3.x (major API changes, Java 17+ required)
- Jackson 2.9 → 2.15 (API changes)
- Hibernate 5.x → 6.x (JPA changes)
- Log4j 1.x → Log4j2 (complete rewrite)
log4j:1.2.17- EOL, migrate to Log4j2velocity:1.7- Deprecated, migrate to alternatives- Older Apache Commons libraries with no maintainers
- Deep transitive chains requiring upstream fixes
- Vulnerabilities in archived/unmaintained packages
- Legacy Spring Boot 2.x specific dependencies
- Java 11 or higher
- Maven 3.6+ (required for building and dependency resolution)
# Install dependencies and build
mvn clean install
# Run the application
mvn spring-boot:run
# Application will run on http://localhost:8080# Run Snyk test (Maven required)
snyk test --file=pom.xml
# Expected output: 200+ vulnerabilities
# View dependency tree
mvn dependency:tree
# Generate dependency report
mvn dependency:analyze
# Build and run tests
mvn clean testThis project targets Java 11 for maximum compatibility with the old Spring Boot 2.1.6 version. The vulnerable dependencies from 2019 were built for Java 8-11.
All endpoints are intentionally vulnerable:
POST /api/login- SQL InjectionGET /api/exec?cmd=ls- Command InjectionGET /api/files?filename=test.txt- Path TraversalPOST /api/upload- Unrestricted File UploadGET /api/search?query=<script>- XSSGET /api/proxy?url=http://internal- SSRFPOST /api/evaluate- RCEPOST /api/deserialize- Insecure DeserializationDELETE /api/admin/users/1- Missing AuthGET /api/users/1- IDORPOST /api/parse-xml- XXEPOST /api/parse-yaml- YAML DeserializationPOST /api/register- Mass AssignmentGET /api/debug- Data ExposureGET /redirect?url=- Open RedirectPOST /api/hash- Weak Cryptography
- ✅ A01:2021 - Broken Access Control
- ✅ A02:2021 - Cryptographic Failures
- ✅ A03:2021 - Injection
- ✅ A04:2021 - Insecure Design
- ✅ A05:2021 - Security Misconfiguration
- ✅ A06:2021 - Vulnerable and Outdated Components
- ✅ A07:2021 - Identification and Authentication Failures
- ✅ A08:2021 - Software and Data Integrity Failures
- ✅ A09:2021 - Security Logging and Monitoring Failures
- ✅ A10:2021 - Server-Side Request Forgery
- CORS enabled for all origins
- Actuator endpoints exposed without authentication
- Debug mode enabled
- Beans with insecure default configurations
- Auto-configuration vulnerabilities
- Insecure deserialization via ObjectInputStream
- Classpath manipulation possibilities
- Reflection-based vulnerabilities
The pom.xml includes:
- 70+ direct dependencies with known vulnerabilities
- Expected 300+ transitive dependencies
- Multiple vulnerable versions of commonly-used libraries
- Old framework versions that pull in vulnerable dependency chains
The project includes Kotlin support demonstrating:
- Mixed Java/Kotlin codebases (common in modern Spring Boot apps)
- Kotlin-specific dependency vulnerabilities
- Jackson Kotlin module with deserialization issues
MIT License - Use for educational and testing purposes only.
DO NOT use this application in production environments. It contains intentional security vulnerabilities and should only be used in isolated, controlled environments for security testing and education.
This project requires Maven to:
- Resolve all 300+ dependencies (direct and transitive)
- Download vulnerable dependency versions from Maven Central
- Generate the dependency tree for Snyk scanning
- Compile Java and Kotlin source files
- Package the application as an executable JAR
Without Maven installed, the project structure and code are complete but cannot be built or scanned.