1 video 📅 2025-07-07 10:00:00 America/Mexico_City
Watch Video
7:26
2025-07-07 15:07:55

Course recordings on DaDesktop for Training platform

Visit NobleProg websites for related course

Visit outline: Secure Developer Java (Inc OWASP) (Course code: secdevja)

Categories: Java · OWASP · Secure Coding

Summary

Overview

This course session is the first hands-on lab in a security-focused Java development training, designed to introduce learners to identifying and mitigating real-world vulnerabilities in Spring Boot applications. The trainer sets up a pre-configured Ubuntu 24 environment with Java compilers, IDEs (IntelliJ IDEA Community, Visual Studio Code), and three lab projects. The focus of Lab 1 is on OWASP Top 10 vulnerabilities: Broken Access Control, insecure tokens/hashes, SQL injection, and XSS. Learners are guided to exploit these flaws in a safe, controlled environment and then apply security fixes using Spring Security, role-based access control, and input sanitization. The session emphasizes exploration over assessment, encouraging use of external resources and open Q&A.

Topic (Timeline)

1. Environment Setup and Lab Introduction [00:00:27 - 00:03:05]

The trainer confirms all participants see the same shared screen and verifies the Ubuntu 24 environment is pre-configured with Java compilers and development tools. Three lab projects are introduced under the “Oplow Files” directory, with Lab 1 serving as an introductory exercise. The trainer explains that Labs 2 and 3 will increase in complexity, with the potential to build a full Java Spring Boot application containing multiple vulnerabilities by the end of the course. Learners are encouraged to use any of the installed IDEs (IntelliJ IDEA Community or Visual Studio Code), both of which have Java plugins pre-enabled.

2. Lab 1 Objectives and Security Focus [00:03:05 - 00:05:01]

The goal of Lab 1 is to identify and exploit real vulnerabilities in a Spring Boot application corresponding to OWASP Categories 1, 2, and 3: Broken Access Control, Insecure Design, and Cryptographic Failures. Learners are directed to the “Secure Java Labs” folder in their home directory, where each lab project is located. The trainer provides instructions within the lab document, including file paths, terminal commands for compilation, and URLs to access the application in the browser. Emphasis is placed on learning through experimentation—no penalties for mistakes, and external resources are encouraged.

3. Vulnerability Exploitation and Mitigation Workflow [00:05:01 - 00:06:21]

The trainer outlines the step-by-step exploitation and remediation tasks for Lab 1:

  • Exploit Broken Access Control by manipulating URLs to bypass authorization.
  • Generate and exploit insecure tokens and cryptographic hashes.
  • Perform SQL injection to access or manipulate the backend database.
  • Trigger and observe reflected XSS attacks.
    For remediation, learners will implement Spring Security to:
  • Protect endpoints using annotations (e.g., @PreAuthorize).
  • Configure in-memory roles and users.
  • Fix cryptographic flaws (e.g., use of weak hashing).
  • Sanitize inputs to prevent injection attacks.
    The trainer invites questions and confirms the session is open for real-time support.

4. Lab Execution and Support Framework [00:06:21 - 00:06:58]

The trainer reiterates that learners are free to proceed at their own pace using either terminal commands or IDEs. No additional installations are expected unless needed—support is available for any setup issues. The trainer monitors each participant’s screen in real time to detect and assist with blockers. The session is structured to be exploratory, with no pressure to complete tasks perfectly, and the mic remains open for ongoing questions.

Appendix

Key Tools and Paths

  • OS: Ubuntu 24
  • IDEs: IntelliJ IDEA Community, Visual Studio Code (with Java plugins enabled)
  • Lab Directory: ~/Secure Java Labs/
  • Project Files: Located in Oplow Files/ (three lab folders: Lab 1, 2, 3)

Vulnerabilities Covered (Lab 1)

  • Broken Access Control (URL manipulation)
  • Insecure Token/Hash Generation
  • SQL Injection
  • Reflected Cross-Site Scripting (XSS)

Security Mitigations to Apply

  • Spring Security configuration
  • Role-based access control via @PreAuthorize
  • In-memory user/role setup
  • Cryptographic hardening (e.g., use of strong hashing algorithms)
  • Input validation and output encoding to prevent injection

Learning Approach

  • Exploration over assessment
  • Use of external documentation and resources encouraged
  • Real-time trainer monitoring and support
  • No penalties for errors; focus on understanding and remediation