Skip to content

Add comprehensive vulnerable-by-design Kotlin service for security te…#17

Open
Bonckheere1 wants to merge 1 commit intoCheckmarx:developfrom
Roland-s-Demo-Org:claude/vulnerable-access-control-code-QppP4
Open

Add comprehensive vulnerable-by-design Kotlin service for security te…#17
Bonckheere1 wants to merge 1 commit intoCheckmarx:developfrom
Roland-s-Demo-Org:claude/vulnerable-access-control-code-QppP4

Conversation

@Bonckheere1
Copy link

@Bonckheere1 Bonckheere1 commented Mar 4, 2026

…sting

Adds a new Spring Boot Kotlin API service (packages/services/kotlin-api) and Android activity demonstrating intentional security vulnerabilities across all major OWASP and security testing categories for education and pen-testing use.

Vulnerability categories covered:

BOLA/IDOR (AccessControlController):

  • No ownership checks on note/user CRUD endpoints
  • Cross-tenant data leakage via URL path tenantId param
  • Mass assignment enabling privilege escalation (role="admin")
  • BOLA on fund transfer (any user can drain any account)

Authentication & Session Management (AuthController):

  • Plain-text password storage and comparison
  • No brute-force rate limiting
  • Username enumeration via different error messages
  • Predictable password reset tokens (java.util.Random)
  • Tokens never expire or invalidate on logout
  • Insecure cookies (no HttpOnly/Secure/SameSite)

SQL & Command Injection (InjectionController):

  • Classic SQLi via string concatenation in native SQL
  • JPQL injection in advanced search
  • ORDER BY injection (sort parameter)
  • Second-order SQLi demonstration
  • OS command injection via Runtime.exec() with sh -c
  • ProcessBuilder command injection (nslookup endpoint)

SSRF (SsrfController):

  • Arbitrary URL fetch with full response returned
  • Blind SSRF via webhook registration
  • SSRF via avatar image fetch
  • SSRF via import-from-URL feature
  • All redirect-following enabled (internal redirects)

Client-Side Attacks (ClientSideController):

  • Reflected XSS in search and greeting endpoints
  • Stored XSS in feedback system
  • Open redirect via unvalidated url/next parameters
  • Web cache poisoning via X-Forwarded-Host reflection
  • Clickjacking via missing X-Frame-Options

Insecure Deserialization & SSTI (DeserializationController):

  • Java ObjectInputStream deserialization of untrusted Base64 payload (RCE)
  • Serialized session cookie with no HMAC (role tampering)
  • Thymeleaf SSTI via user-controlled template expressions (RCE)

Files & Misconfigurations (FileController):

  • Path traversal / LFI via filename and path parameters
  • Unrestricted file upload (no extension/MIME validation)
  • Content-Type spoofing bypass in avatar upload
  • Directory listing of arbitrary filesystem paths
  • Full stack traces exposed in error responses

Secrets & Cryptography (CryptoController + JwtUtil):

  • Hardcoded credentials, API keys, DB passwords in source
  • MD5/SHA1 unsalted password hashing
  • AES-ECB mode encryption with hardcoded key
  • Base64 presented as encryption
  • JWT alg:none bypass vulnerability
  • JWT role extracted from claims without DB verification
  • All secrets returned via unauthenticated /api/crypto/config

LLM & Prompt Injection (LlmController):

  • Direct prompt injection via userMessage parameter
  • Indirect prompt injection via note content in analyze-note
  • System prompt leakage (contains DB creds, JWT secret)
  • User-controlled systemContext overrides system prompt
  • SSRF via LLM summarize-URL feature
  • Sensitive source code sent to external LLM API

Business Logic (BusinessLogicController):

  • Negative quantity purchase creates account credit
  • Client-supplied price accepted instead of DB price
  • Race condition on single-use coupon (TOCTOU)
  • Coupon brute force (no rate limiting, short codes)
  • Workflow bypass (complete order without payment)
  • Negative fund transfer steals from recipient

Hardening (SecurityConfig + application.properties):

  • CSRF disabled globally
  • Wildcard CORS with allowCredentials=true
  • All endpoints publicly accessible (no auth enforcement)
  • Missing security headers (CSP, HSTS, X-Frame-Options)
  • H2 console exposed publicly
  • Full stack traces in error responses
  • All actuator endpoints exposed

Android (VulnerableActivity):

  • WebView JS interface exposing credential/file read to JS
  • SSL certificate validation bypass (accept all certs)
  • File:// and cross-origin access enabled in WebView
  • SQLite SQL injection via string concatenation
  • Sensitive data in SharedPreferences (plain-text)
  • Sensitive data written to external storage
  • Hardcoded credentials, API keys, AES key in source
  • Data logged to Android LogCat (credentials, tokens)
  • Open deep link / intent injection (URL, path params)

https://claude.ai/code/session_01Bm5w9rWd8P8E9cYiVRHQnE

@claude
Add comprehensive vulnerable-by-design Kotlin service for security te…
d04ccc0 
…sting

Adds a new Spring Boot Kotlin API service (packages/services/kotlin-api) and
Android activity demonstrating intentional security vulnerabilities across all
major OWASP and security testing categories for education and pen-testing use.

Vulnerability categories covered:

BOLA/IDOR (AccessControlController):
- No ownership checks on note/user CRUD endpoints
- Cross-tenant data leakage via URL path tenantId param
- Mass assignment enabling privilege escalation (role="admin")
- BOLA on fund transfer (any user can drain any account)

Authentication & Session Management (AuthController):
- Plain-text password storage and comparison
- No brute-force rate limiting
- Username enumeration via different error messages
- Predictable password reset tokens (java.util.Random)
- Tokens never expire or invalidate on logout
- Insecure cookies (no HttpOnly/Secure/SameSite)

SQL & Command Injection (InjectionController):
- Classic SQLi via string concatenation in native SQL
- JPQL injection in advanced search
- ORDER BY injection (sort parameter)
- Second-order SQLi demonstration
- OS command injection via Runtime.exec() with sh -c
- ProcessBuilder command injection (nslookup endpoint)

SSRF (SsrfController):
- Arbitrary URL fetch with full response returned
- Blind SSRF via webhook registration
- SSRF via avatar image fetch
- SSRF via import-from-URL feature
- All redirect-following enabled (internal redirects)

Client-Side Attacks (ClientSideController):
- Reflected XSS in search and greeting endpoints
- Stored XSS in feedback system
- Open redirect via unvalidated url/next parameters
- Web cache poisoning via X-Forwarded-Host reflection
- Clickjacking via missing X-Frame-Options

Insecure Deserialization & SSTI (DeserializationController):
- Java ObjectInputStream deserialization of untrusted Base64 payload (RCE)
- Serialized session cookie with no HMAC (role tampering)
- Thymeleaf SSTI via user-controlled template expressions (RCE)

Files & Misconfigurations (FileController):
- Path traversal / LFI via filename and path parameters
- Unrestricted file upload (no extension/MIME validation)
- Content-Type spoofing bypass in avatar upload
- Directory listing of arbitrary filesystem paths
- Full stack traces exposed in error responses

Secrets & Cryptography (CryptoController + JwtUtil):
- Hardcoded credentials, API keys, DB passwords in source
- MD5/SHA1 unsalted password hashing
- AES-ECB mode encryption with hardcoded key
- Base64 presented as encryption
- JWT alg:none bypass vulnerability
- JWT role extracted from claims without DB verification
- All secrets returned via unauthenticated /api/crypto/config

LLM & Prompt Injection (LlmController):
- Direct prompt injection via userMessage parameter
- Indirect prompt injection via note content in analyze-note
- System prompt leakage (contains DB creds, JWT secret)
- User-controlled systemContext overrides system prompt
- SSRF via LLM summarize-URL feature
- Sensitive source code sent to external LLM API

Business Logic (BusinessLogicController):
- Negative quantity purchase creates account credit
- Client-supplied price accepted instead of DB price
- Race condition on single-use coupon (TOCTOU)
- Coupon brute force (no rate limiting, short codes)
- Workflow bypass (complete order without payment)
- Negative fund transfer steals from recipient

Hardening (SecurityConfig + application.properties):
- CSRF disabled globally
- Wildcard CORS with allowCredentials=true
- All endpoints publicly accessible (no auth enforcement)
- Missing security headers (CSP, HSTS, X-Frame-Options)
- H2 console exposed publicly
- Full stack traces in error responses
- All actuator endpoints exposed

Android (VulnerableActivity):
- WebView JS interface exposing credential/file read to JS
- SSL certificate validation bypass (accept all certs)
- File:// and cross-origin access enabled in WebView
- SQLite SQL injection via string concatenation
- Sensitive data in SharedPreferences (plain-text)
- Sensitive data written to external storage
- Hardcoded credentials, API keys, AES key in source
- Data logged to Android LogCat (credentials, tokens)
- Open deep link / intent injection (URL, path params)

https://claude.ai/code/session_01Bm5w9rWd8P8E9cYiVRHQnE
@gitguardian
Copy link

gitguardian bot commented Mar 4, 2026

⚠️ GitGuardian has uncovered 7 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

Since your pull request originates from a forked repository, GitGuardian is not able to associate the secrets uncovered with secret incidents on your GitGuardian dashboard.
Skipping this check run and merging your pull request will create secret incidents on your GitGuardian dashboard.

🔎 Detected hardcoded secrets in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
- - Generic Password d04ccc0 packages/clients/android/app/src/main/java/com/cx/goatlin/VulnerableActivity.kt View secret
- - Generic Password d04ccc0 packages/services/kotlin-api/Dockerfile View secret
- - Username Password d04ccc0 packages/services/kotlin-api/src/main/kotlin/com/kotlingoat/controllers/CryptoController.kt View secret
- - Generic Database Assignment d04ccc0 packages/services/kotlin-api/src/main/kotlin/com/kotlingoat/controllers/CryptoController.kt View secret
- - Generic Password d04ccc0 packages/services/kotlin-api/src/main/kotlin/com/kotlingoat/controllers/CryptoController.kt View secret
- - Generic Password d04ccc0 packages/services/kotlin-api/src/main/kotlin/com/kotlingoat/controllers/LlmController.kt View secret
- - Generic Password d04ccc0 packages/services/kotlin-api/src/main/kotlin/com/kotlingoat/config/DataInitializer.kt View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secrets safely. Learn here the best practices.
  3. Revoke and rotate these secrets.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Bonckheere1 @claude