Skip to content

added vulnerable code to test frog-bot #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MohammedKamle wants to merge 1 commit into
base: master
Choose a base branch
from
Open

added vulnerable code to test frog-bot #11

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
108 changes: 108 additions & 0 deletions src/main/java/VulnerableApp.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
/**
* WARNING: This file contains intentionally insecure Java code.
* It is ONLY for testing security scanners like JFrog Xray.
* DO NOT USE IN PRODUCTION.
*/

import java.io.*;
import java.net.*;
import java.security.MessageDigest;
import java.sql.*;
import java.util.*;
import javax.crypto.*;
import javax.crypto.spec.SecretKeySpec;

public class VulnerableApp {

// ---- HARD-CODED SECRETS ----
private static final String DB_PASSWORD = "SuperSecret123!";
private static final String API_KEY = "API-KEY-1234567890";
private static final String JWT_SECRET = "myjwtsecretkey";

// ---- OUTDATED CRYPTO ----
public static String weakHash(String input) throws Exception {
MessageDigest md = MessageDigest.getInstance("MD5"); // Weak hashing
Copy link
Copy Markdown
Owner Author

@MohammedKamle MohammedKamle Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Using outdated or insecure encryption algorithm
Full description

Vulnerability Details
Rule ID: java-weak-crypto-algorithm

Overview

Insecure SSL protocols refer to older versions of the SSL (Secure Socket Layer) and TLS
(Transport Layer Security) protocols that have known security vulnerabilities. These
vulnerabilities can be exploited by attackers to compromise the confidentiality, integrity,
and authenticity of the communication between a client and a server.

Vulnerable example

public class weak_crypto_vuln {
    protected void doPost(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        String data = request.getParameter("data");
        Cipher decryptor;

        decryptor = Cipher.getInstance("DES");
        decryptor.init(Cipher.DECRYPT_MODE, key);

        ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
        outputStream.write(decryptor.doFinal(Base64.getDecoder().decode(data)));
        String decryptedData = outputStream.toString();
    }
}

DES is a weak cryptographic algorithm.

Remediation

public class weak_crypto_safe {
    protected void doPost(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        String data = request.getParameter("data");
        Cipher decryptor;

        - decryptor = Cipher.getInstance("DES");
        + decryptor = Cipher.getInstance("AES");
        decryptor.init(Cipher.DECRYPT_MODE, key);

        ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
        outputStream.write(decryptor.doFinal(Base64.getDecoder().decode(data)));
        String decryptedData = outputStream.toString();
    }
}

AES is a strong cryptographic algorithm.

return Base64.getEncoder().encodeToString(md.digest(input.getBytes()));
}

// ---- SQL INJECTION EXAMPLE ----
public static void getUser(Connection conn, String username) throws Exception {
// UNSAFE: direct string concatenation
String query = "SELECT * FROM users WHERE username = '" + username + "'";
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(query);

while (rs.next()) {
System.out.println("User: " + rs.getString("username"));
}
}

// ---- COMMAND INJECTION EXAMPLE ----
public static void runPing(String host) throws Exception {
// UNSAFE: attacker-controlled input
String command = "ping -c 3 " + host;
Process p = Runtime.getRuntime().exec(command);

BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream()));
String line;
while ((line = br.readLine()) != null) {
System.out.println(line);
}
}

// ---- PATH TRAVERSAL ----
public static void readFile(String filename) throws Exception {
File file = new File("./uploads/" + filename); // No sanitization
BufferedReader reader = new BufferedReader(new FileReader(file));

String text;
while ((text = reader.readLine()) != null) {
System.out.println(text);
}
}

// ---- INSECURE DESERIALIZATION ----
public static void deserialize(byte[] data) throws Exception {
ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data));
Object obj = ois.readObject(); // Unsafe: gadget attacks possible
System.out.println("Deserialized: " + obj);
}

// ---- INSECURE NETWORK CALL ----
public static void insecureHttpCall() throws Exception {
URL url = new URL("http://example.com"); // No HTTPS
HttpURLConnection con = (HttpURLConnection) url.openConnection();
BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream()));
String line;
while ((line = in.readLine()) != null) {
System.out.println(line);
}
}

// ---- BAD KEY MANAGEMENT ----
public static String weakEncryption(String text) throws Exception {
String key = "1234567812345678"; // Hardcoded AES key (weak)
Cipher cipher = Cipher.getInstance("AES");
SecretKeySpec secretKey = new SecretKeySpec(key.getBytes(), "AES");
cipher.init(Cipher.ENCRYPT_MODE, secretKey);

return Base64.getEncoder().encodeToString(cipher.doFinal(text.getBytes()));
}

// ---- MAIN METHOD ----
public static void main(String[] args) {
try {
System.out.println("Running vulnerable Java application...");

weakHash("hello");
weakEncryption("secret");

// Simulate insecure actions
runPing("google.com");
readFile("../../../etc/passwd");

} catch (Exception e) {
e.printStackTrace();
Copy link
Copy Markdown
Owner Author

@MohammedKamle MohammedKamle Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
low
Low		 Internal code structure may be revealed through error message
Full description

Vulnerability Details
Rule ID: java-stack-trace-exposure

Overview

Stack trace exposure is a type of security vulnerability that occurs when a program reveals
sensitive information, such as the names and locations of internal files and variables,
in error messages or other diagnostic output. This can happen when a program crashes or
encounters an error, and the stack trace (a record of the program's call stack at the time
of the error) is included in the output. Stack trace exposure can provide attackers with
valuable information about a program's internal workings and vulnerabilities, making it
easier for them to exploit those vulnerabilities and gain unauthorized access
to the system.

Vulnerable example

In this example, an exception is caught, and its stack trace is printed directly to the HTTP response, exposing internal details.

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.io.StringWriter;

public class stack_trace_exposure_vuln extends HttpServlet {

    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        try {
            int result = 10 / 0; // Simulate an error
            response.getWriter().println("Result: " + result);
        } catch (Exception e) {
            // Vulnerable: Printing full stack trace to the response
            StringWriter sw = new StringWriter();
            PrintWriter pw = new PrintWriter(sw);
            e.printStackTrace(pw);
            response.getWriter().println("Error: " + sw.toString());
        }
    }
}

Remediation

Avoid sending out data from exceptions thrown in the code. Instead, log the detailed error internally and provide a generic error message to the user.

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class stack_trace_exposure_safe extends HttpServlet {

    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        try {
            int result = 10 / 0; // Simulate an error
            response.getWriter().println("Result: " + result);
        } catch (Exception e) {
            // Secure: Log detailed error internally (not shown) and present generic message
            System.err.println("An error occurred: " + e.getMessage());
            response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "An unexpected error occurred.");
        }
    }
}


<details><summary><b>Code Flows</b></summary>
<details><summary><b>Vulnerable data flow analysis result</b></summary>

↘️ `Exception e` (at src/main/java/VulnerableApp.java line 104)

↘️ `e` (at src/main/java/VulnerableApp.java line 105)
<br></details><br></details><br></details>

---
<div align='center'>

[🐸 JFrog Frogbot](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)

</div>

}
}
}
Loading