To access material, start machines and answer questions login.
This is the Java entry in the Web Frameworks module, and we are going to work it the way a security reviewer actually does: as a code review. Instead of poking at a black box and guessing, we are handed the application's source and asked to find the bugs by reading it, then prove each one on the running lab machine. This is white-box testing. Once we can see how the code is written, the framework-specific mistakes stop being mysteries and become patterns we can grep for.
The lab machine runs a Spring Boot application. Spring Boot has won the Java web framework wars on the strength of opinionated defaults: auto-configuration, an embedded Tomcat, classpath scanning, and a management subsystem called Actuator that ships ready to turn on. Those same defaults are where its bugs live. A management endpoint left exposed, a query that drops below the , a controller that binds a whole entity, a dependency that turns a deserialise call into code execution: each is a habit that is easy to ship and hard to spot from the outside, and obvious the moment we read the source.
Learning Objectives
- Read Spring Boot source to locate framework-specific sinks
- Recognise an exposed Actuator surface and lift secrets from
/actuator/envand/actuator/heapdump - Spot a SQL injection that survives Spring's data layer through string-built raw SQL
- Identify and exploit mass assignment in a controller that binds a full entity
- Recognise the Java deserialisation sinks and drive one to remote code execution with ysoserial
Prerequisites
- Working knowledge of HTTP and the request/response cycle
- Familiarity with the OWASP Top 10
- Comfort reading Java (no writing required) and using
curlandjqfrom a terminal
Suggested prerequisite rooms: Web Frameworks: Code Review for the read, map, trace, triage, and verify method this room applies, plus OWASP Top 10 2025: Insecure Data Handling, SQL Injection, and Content Discovery.
Machine Access
Click the Start Lab Machine button below of the room and give it a couple of minutes to boot. Everything on the lab machine runs in the browser: the source review viewer at http://MACHINE_IP/ and the live application at http://MACHINE_IP:8080/. There is no SSH login for the lab machine.
Once it boots, the source review viewer's landing page is a split-pane view with three panes: a file tree of the application's source on the left, the syntax-highlighted source itself in the middle, and the live application on the right. We read the redacted source in the middle pane to locate each sink, then we exploit the live app on the right to recover the real flag. Secret values and flags are blanked to <REDACTED> in the served source, so the source teaches us WHERE a bug lives, never the secret itself. We recover the real values by attacking the running lab machine.
Machine Access
Set up your virtual environment
I have successfully started my lab machine instance.
Ready to learn Cyber Security?
The Web Frameworks: Java room is only available for Premium or Max subscribers. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.
Already have an account? Log in
