Skip to main content
Room Banner
Back to all walkthroughs
Room Icon

Web Frameworks: Java

Premium room

Review Spring Boot source, find the framework-specific sinks, and exploit each on the lab machine.

medium

60 min

20

User profile photo.
User profile photo.

To access material, start machines and answer questions login.

This is the Java entry in the Web Frameworks module, and we are going to work it the way a security reviewer actually does: as a code review. Instead of poking at a black box and guessing, we are handed the application's source and asked to find the bugs by reading it, then prove each one on the running lab machine. This is white-box testing. Once we can see how the code is written, the framework-specific mistakes stop being mysteries and become patterns we can grep for.

The lab machine runs a Spring Boot application. Spring Boot has won the Java web framework wars on the strength of opinionated defaults: auto-configuration, an embedded Tomcat, classpath scanning, and a management subsystem called Actuator that ships ready to turn on. Those same defaults are where its bugs live. A management endpoint left exposed, a query that drops below the , a controller that binds a whole entity, a dependency that turns a deserialise call into code execution: each is a habit that is easy to ship and hard to spot from the outside, and obvious the moment we read the source.

Learning Objectives

  • Read Spring Boot source to locate framework-specific sinks
  • Recognise an exposed Actuator surface and lift secrets from /actuator/env and /actuator/heapdump
  • Spot a SQL injection that survives Spring's data layer through string-built raw SQL
  • Identify and exploit mass assignment in a controller that binds a full entity
  • Recognise the Java deserialisation sinks and drive one to remote code execution with ysoserial

Prerequisites

  • Working knowledge of HTTP and the request/response cycle
  • Familiarity with the OWASP Top 10
  • Comfort reading Java (no writing required) and using curl and jq from a terminal

Suggested prerequisite rooms: Web Frameworks: Code Review for the read, map, trace, triage, and verify method this room applies, plus OWASP Top 10 2025: Insecure Data HandlingSQL Injection, and Content Discovery.

Machine Access

Click the Start Lab Machine button below of the room and give it a couple of minutes to boot. Everything on the lab machine runs in the browser: the source review viewer at http://MACHINE_IP/ and the live application at http://MACHINE_IP:8080/. There is no SSH login for the lab machine.

Once it boots, the source review viewer's landing page is a split-pane view with three panes: a file tree of the application's source on the left, the syntax-highlighted source itself in the middle, and the live application on the right. We read the redacted source in the middle pane to locate each sink, then we exploit the live app on the right to recover the real flag. Secret values and flags are blanked to <REDACTED> in the served source, so the source teaches us WHERE a bug lives, never the secret itself. We recover the real values by attacking the running lab machine.

Machine Access

 

IP address
 
MACHINE_IP
 
Connection via
 
Web browser
://MACHINE_IP/
 

Set up your virtual environment

To successfully complete this room, you'll need to set up your virtual environment. This involves starting both your AttackBox (if you're not using your VPN) and Target Machines, ensuring you're equipped with the necessary tools and access to tackle the challenges ahead.
Attacker machine
Status:Off
Lab machine
Status:Off
Answer the questions below

I have successfully started my lab machine instance.