# 《深入理解Java代码审计》 本项目是记录自己在学习Java代码审计过程中遇到的优秀内容,包括Java代码审计技巧以及优秀的代码审计案例。一个不会Java代码审计的师傅不是一个好黑客!一个不会Java代码审计的黑客不是一个好师傅! 本项目创建于2021年7月8日,最近的一次更新时间为2021年9月6日。本项目会持续更新,直到海枯石烂。 - [0x01-Java代码审计资源](https://github.com/0e0w/HackJava#0x01-Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E8%B5%84%E6%BA%90) - [0x02-Java漏洞靶场平台](https://github.com/0e0w/HackJava#0x02-Java%E6%BC%8F%E6%B4%9E%E9%9D%B6%E5%9C%BA%E5%B9%B3%E5%8F%B0) - [0x03-Java代码审计工具](https://github.com/0e0w/HackJava#0x03-Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E5%B7%A5%E5%85%B7) - [0x04-Java代码审计案例](https://github.com/0e0w/HackJava#0x04-Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E6%A1%88%E4%BE%8B) - [0x05-Java安全Web漏洞](https://github.com/0e0w/Hackjava#0x04-Java%E5%B8%B8%E8%A7%84Web%E6%BC%8F%E6%B4%9E) - [0x06-Java安全编码规范](https://github.com/0e0w/Hackjava#0x06-Java%E5%AE%89%E5%85%A8%E7%BC%96%E7%A0%81%E8%A7%84%E8%8C%83) - [0x07-Java代码审计培训](https://github.com/0e0w/Hackjava#0x07-Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E5%9F%B9%E8%AE%AD) - [0x08-Java代码审计参考](https://github.com/0e0w/Hackjava#0x08-Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E5%8F%82%E8%80%83) ## 0x01-Java代码审计资源 一、书籍资源 - [ ] [《Java代码审计 入门篇》](https://item.jd.com/10033832360716.html)@陈俊杰等 二、视频教程 三、其他资源 ## 0x02-Java漏洞靶场平台 - [ ] https://github.com/Mysticbinary/WebBug - [ ] https://github.com/dschadow/JavaSecurity - [ ] https://github.com/dschadow/Java-Web-Security - [ ] https://github.com/novysodope/mytestvul - [ ] https://github.com/langligelang/maobugs - [ ] https://github.com/ityouknow/spring-boot-examples - [ ] https://github.com/kevinsawicki/http-request - [ ] https://github.com/NanoHttpd/nanohttpd - [ ] https://github.com/TheKingOfDuck/MySQLMonitor - [ ] https://github.com/tangxiaofeng7/SecExample - [ ] https://github.com/JoyChou93/java-sec-code - [ ] https://github.com/Zhangyao-zzyy/JavaVulnerableLab-circle - [ ] https://github.com/oversecured/ovaa - [ ] https://github.com/appsecco/dvja - [ ] https://github.com/jaiswalakshansh/Vuldroid - [ ] https://github.com/safe6Sec/ShiroAndFastJson - [ ] https://github.com/CSPF-Founder/JavaVulnerableLab - [ ] https://github.com/t0thkr1s/allsafe ## 0x03-Java代码审计工具 一、Frotify - [ ] https://github.com/wooyunwang/Fortify - [ ] https://github.com/5wimming/gadgetinspector 二、IDEA - [ ] https://github.com/XianYanTechnology/RocB 三、待整理 - [ ] https://github.com/MobSF/mobsfscan - [ ] https://github.com/threedr3am/log-agent - [ ] https://github.com/wh1t3p1g/tabby ## 0x04-Java代码审计案例 - [ ] https://github.com/j3ers3/Hello-Java-Sec - [ ] https://github.com/proudwind/javasec_study - [ ] https://github.com/threedr3am/learnjavabug - [ ] https://github.com/SummerSec/JavaLearnVulnerability - [ ] https://github.com/cn-panda/JavaCodeAudit - [ ] https://github.com/Maskhe/javasec - [ ] https://github.com/phith0n/JavaThings - [ ] https://github.com/anbai-inc/javaweb-sec - [ ] https://github.com/feihong-cs/Java-Rce-Echo - [ ] https://github.com/Y4er/WebLogic-Shiro-shell - [ ] https://github.com/feihong-cs/Java-Rce-Echo - [ ] https://github.com/feihong-cs/JNDIExploit - [ ] https://github.com/welk1n/JNDI-Injection-Exploit - [ ] https://github.com/March110/javaweb-sec - [ ] https://github.com/wh1t3p1g/ysomap - [ ] [攻击Java Web应用](https://appts4jvi.zhishibox.net/b/5d644b6f81cbc9e40460fe7eea3c7925) - [ ] https://github.com/returntocorp/semgrep - [ ] https://github.com/mtxiaowangzi/CAFJE - [ ] https://github.com/MobSF/mobsfscan - [ ] https://github.com/huyuanzhi2/CodeReview ## 0x05-Java安全Web漏洞 本部分详细列举常见的Java安全漏洞内容。 - 程序安装问题 - 业务逻辑漏洞 - SQL注入漏洞 - https://github.com/yhy0/sqlilab-Jsp - 变量覆盖漏洞 - 任意文件上传漏洞 - 任意文件写入漏洞 - 任意文件删除漏洞 - 任意文件包含漏洞 - 任意命令执行漏洞 - Java反序列化漏洞 - https://github.com/frohoff/ysoserial - https://github.com/wh1t3p1g/ysomap - https://github.com/JackOfMostTrades/gadgetinspector - https://github.com/0range228/Gadgets - XSS跨站脚本攻击 - XML外部实体攻击 - CSRF跨站请求伪造 - SSRF服务端请求伪造 ## 0x06-Java安全编码规范 - [ ] 腾讯集团-Java安全编码规范 - [ ] 奇安信集团-Java安全编码规范 - [ ] [陌陌集团-Java安全编码规范](https://github.com/momosecurity/rhizobia_J) ## 0x07-Java代码审计培训 ## 0x08-Java代码审计参考 - [ ] [《静态程序分析入门教程》](https://github.com/RangerNJU/Static-Program-Analysis-Book)