☕
Java for AppSec Engineers
Master Java security from deserialization and Log4j to injection attacks, XML vulnerabilities, and CVE patch analysis across the Java ecosystem.
105 exercises
4 chapters
← All Tracks
Chapter 1
Deserialization & Remote Code Execution
Exploit Java deserialization from basic ObjectInputStream gadget chains to Log4j, JDBC attacks, and H2 database RCE. Then review deserialization patterns in real CVE patches.
Java Snippet #04
Pro
Log4j RCE II
Pro
Java Serialize 01
Pro
Log4j RCE
Pro
H2 RCE
Pro
S2-052
Free
Java Serialize 02
Pro
Java Serialize 03
Pro
XMLDecoder
Pro
CVE-2022-21724: JDBC RCE PostgreSQL
Pro
Apache Pluto RCE
Pro
Java Serialize 04
Pro
Java Serialize 05
Pro
ObjectInputStream
Pro
JDBC RCE
Pro
Java Serialize 06
Pro
Java Code Review 03
Pro
Java Code Review 06
Pro
CVE-2020-9x9x
Pro
CVE-2022-4504x
Pro
CVE-2023-25X4X
Pro
CVE-2023-46XX2
Pro
Chapter 2
Injection & XML Attacks
Exploit Struts vulnerabilities and Play Framework XXE, then review SQL injection, LDAP injection, XML external entity, and NoSQL injection patterns in Java code.
Struts s2-045
Pro
Play XML Entities
Free
XSL Java
Pro
Java Code Review 08
Pro
CVE-2023-350XX
Pro
CVE-2022-4x13x
Pro
CVE-2020-13xxx
Pro
CVE-2022-458X1
Pro
CVE-2022-X50X6
Pro
CVE-202X-2561X
Pro
CVE-2022-XX910
Pro
CVE-2014-X80X
Pro
CVE-2023-2XX60
Pro
Java Code Review 14
Pro
Java Code Review 11
Pro
Java Snippet #03
Pro
CVE-2007-546X
Pro
CVE-2022-357X1
Pro
CVE-2020-11xxx
Pro
CVE-2021-39x3x
Pro
CVE-2022-3x7x1
Pro
CVE-2023-5X38X
Pro
CVE-2024-X875X
Pro
Recommended: Complete Chapter 1 first
Chapter 3
Paths, Web Attacks & Filters
Exploit Spring Actuators, Struts devMode, and Play sessions. Review directory traversal, SSRF, XSS, open redirect, and filter bypass patterns across Java frameworks.
Struts devMode
Pro
Spring Actuators
Pro
Play Session Injection
Free
Java Snippet #08
Pro
Java Code Review 02
Pro
Java Code Review 04
Pro
CVE-2009-26X3
Pro
CVE-2020-17xx7
Pro
CVE-2020-9X8X
Pro
CVE-2020-17xx8
Pro
CVE-2022-378xx
Pro
CVE-2022-x0x08
Pro
CVE-2022-x0x09
Pro
CVE-2022-342XX
Pro
CVE-2024-2X31X
Pro
CVE-2023-3X4X6
Pro
CVE-2022-2X457
Pro
Java Snippet #06
Pro
Java Code Review 01
Pro
Java Code Review 12
Pro
CVE-2022-X41X9
Pro
Java Code Review 05
Pro
CVE-2018-8x14
Pro
Java Code Review 13
Pro
Java Snippet #10
Pro
Java Snippet #07
Pro
GHSA-95XX
Pro
Java Snippet #11
Pro
Java Snippet #12
Pro
Java Code Review 15
Pro
CVE-2022-X51X3
Pro
Recommended: Complete Chapters 1 & 2 first
Chapter 4
Auth, Crypto & Application Logic
Review authentication bypass, timing attacks, weak randomness, cryptographic flaws, hardcoded secrets, insecure transport, and application logic issues in Java code.
Java Snippet #05
Pro
Java Snippet #01
Pro
Java Snippet #02
Pro
CVE-2006-6X6X
Pro
CVE-2014-7X09
Pro
CVE-2022-26xx9
Pro
CVE-2025-627X0
Pro
CVE-2022-2X24X
Pro
Java Code Review 07
Pro
CVE-2023-X48X9
Pro
CVE-2023-30XX1
Pro
CVE-2022-393XX
Pro
CVE-2023-2XX61
Pro
CVE-2023-2X8X1
Pro
CVE-2025-NOID
Pro
Code Review 18
Pro
CVE-2015-3XX0
Pro
CVE-2021-381xx
Pro
CVE-2009-387X
Pro
CVE-2023-5143X
Pro
Java Code Review 10
Pro
Java Code Review 09
Pro
Java Code Review 16
Pro
CVE-2011-XX61
Pro
CVE-2023-XXX83
Pro
Java Snippet #09
Pro
CVE-2018-XX34
Pro
CVE-2012-5XX3
Pro
CVE-2023-4X25X
Pro
Recommended: Complete all previous chapters
