# 《Java安全-只有Java安全才能拯救宇宙》

![HackJava](https://socialify.git.ci/HackJava/HackJava/image?description=0&descriptionEditable=%E3%80%8AJava%E5%AE%89%E5%85%A8-%E5%8F%AA%E6%9C%89Java%E5%AE%89%E5%85%A8%E6%89%8D%E8%83%BD%E6%8B%AF%E6%95%91%E5%AE%87%E5%AE%99%E3%80%8B&font=Rokkitt&forks=1&issues=1&name=1&owner=0&pattern=Floating%20Cogs&pulls=1&stargazers=1&theme=Light)

本项目是记录自己在学习研究Java安全过程中遇到的优秀资源，包括Java安全的多个细分领域，如Java漏洞分析和Java代码审计以及Java开发的应用程序组件协议甚至Java本身的安全问题等。一个不能攻击Java的黑客不是一个好黑客，一个不懂Java安全的师傅不是一个好师傅！深入理解Java安全，拯救宇宙！作者：[0e0w](https://github.com/0e0w)

本项目创建于2021年7月8日，最近的一次更新时间为2023年8月4日。本项目会持续更新，直到海枯石烂。

- [01-Java安全研究资源](https://github.com/HackJava/HackJava#01-java%E5%AE%89%E5%85%A8%E7%A0%94%E7%A9%B6%E8%B5%84%E6%BA%90)
- [02-Java安全研究方向](https://github.com/HackJava/HackJava#02-java%E5%AE%89%E5%85%A8%E7%A0%94%E7%A9%B6%E6%96%B9%E5%90%91)
- [03-Java安全研究工具](https://github.com/HackJava/HackJava#03-java%E5%AE%89%E5%85%A8%E7%A0%94%E7%A9%B6%E5%B7%A5%E5%85%B7)
- [04-Java安全漏洞环境](https://github.com/HackJava/HackJava#04-java%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E%E7%8E%AF%E5%A2%83)
- [05-Java安全漏洞修复](https://github.com/HackJava/HackJava#05-java%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E%E4%BF%AE%E5%A4%8D)
- [06-Java安全高危应用](https://github.com/HackJava/HackJava#06-java%E5%AE%89%E5%85%A8%E9%AB%98%E5%8D%B1%E5%BA%94%E7%94%A8)
- [07-Java安全参考资源](https://github.com/HackJava/HackJava#07-java%E5%AE%89%E5%85%A8%E5%8F%82%E8%80%83%E8%B5%84%E6%BA%90)

## 01-Java安全研究资源

**一、书籍资料**
- [ ] [《Java代码审计-入门篇》](https://item.jd.com/10033832360716.html)@陈俊杰等
- [ ] [《Java代码审计实战》](https://item.jd.com/13466996.html)@高昌盛等
- [ ] [《Java安全编码标准》](https://book.douban.com/subject/24846041)@计文柯译
- [ ] [《Java安全性编程指南》]()@庞南
- [ ] [《Java安全》]()@奥克斯
- [ ] [《Java编码指南》](https://www.amazon.co.uk/%E7%BC%96%E5%86%99%E5%AE%89%E5%85%A8%E5%8F%AF%E9%9D%A0%E7%A8%8B%E5%BA%8F%E7%9A%8475%E6%9D%A1%E5%BB%BA%E8%AE%AE%EF%BC%88%E8%8B%B1%E6%96%87%E7%89%88%EF%BC%89-%E5%BE%B7%E9%B2%81%C2%B7%E8%8E%AB%E6%AC%A3%E8%BE%BE%EF%BC%88Dhruv-C-%E8%A5%BF%E7%A7%91%E5%BE%B7%EF%BC%88Robert-F-%E8%90%A8%E7%91%9F%E5%85%B0%EF%BC%88Dean-%E5%BC%97%E9%9B%B7%E5%BE%B7%C2%B7%E6%9C%97%EF%BC%88Fred/dp/B017WGUFKO)@刘先宁
- [ ] [《Java-Web-Security》](https://play.google.com/store/books/details/Java_Web_Security_Sichere_Webanwendungen_mit_Java_?id=ZxZ4DwAAQBAJ&hl=en_US&gl=US)@Dominik Schadow

**二、基础教程**

- [ ] [《Java Web安全-代码审计》](https://github.com/javaweb-sec/javaweb-sec)@凌天实验室
- [ ] [《Java安全漫谈笔记相关内容》](https://github.com/phith0n/JavaThings)@phith0n
- [ ] [《Java代码审计学习笔记》](https://github.com/proudwind/javasec_study)@proudwind
- [ ] [《Java漏洞学习笔记》](https://github.com/SummerSec/JavaLearnVulnerability)@SummerSec
- [ ] [《代码审计入门小项目》](https://github.com/cn-panda/JavaCodeAudit)@cn-panda
- [ ] [《自学Java安全总结》](https://github.com/Maskhe/javasec)@Maskhe
- [ ] [《攻击Java Web应用》](https://github.com/March110/javaweb-sec)@安百科技
- [ ] [《Java RCE 回显测试代码》](https://github.com/feihong-cs/Java-Rce-Echo)@feihong
- [ ] [《Java反序列化技术分享》](https://github.com/Y4er/WebLogic-Shiro-shell)@Y4er
- [ ] [《Java代码审计总结》](https://github.com/huyuanzhi2/CodeReview)@huyuanzhi2
- [ ] [《代码审计知识点整理-Java》](https://github.com/7hang/--Java)@7hang
- [ ] [《Java代码审计案例》](https://github.com/5huai/POC-Test)@5huai
- [ ] [《Java安全和Java框架漏洞》](https://github.com/Firebasky/Java)@Firebasky
- [ ] [《Java安全相关的漏洞和技术demo》](https://github.com/threedr3am/learnjavabug)@threedr3am
- [ ] [《跟我一起JAVA代码审计》](https://www.freebuf.com/column/1289)@0neOfU4
- [ ] [《告别脚本小子系列丨JAVA安全》](https://mp.weixin.qq.com/s/oEI1GLJKSoSLxMcAhFFWKQ)@烽火台实验室

**三、视频教程**

- [ ] [《MS08067安全实验室》](https://space.bilibili.com/396298765?spm_id_from=333.788.b_765f7570696e666f.2)@MS08067
- [ ] [《Java代码审计系列课程》](https://edu.51cto.com/course/27875.html)@Hack_Man
- [ ] [《Java代码审计课程》](https://www.learnfuture.com/study/ist126v)@嘉为教育
- [ ] [《宽字节安全 JAVA安全线上进阶课程》](https://www.cnblogs.com/unicodeSec/p/15062087.html)@宽字节
- [ ] [《Securing Java Web Applications》](https://www.pluralsight.com/courses/java-web-application-security-vulnerabilities)@Josh Cummings
- [ ] https://space.bilibili.com/2142877265

**四、培训演讲**

**五、专利文献**

- [ ] [一种基于java的web动态安全漏洞检测方法](https://patents.google.com/patent/CN103699480B/zh)@安恒

**六、其他资源**

- [ ] https://github.com/topics/static-analysis?l=java
- [ ] [《攻击Java Web应用》](https://zhishihezi.net/b/5d644b6f81cbc9e40460fe7eea3c7925)@javasec
- [ ] [《J2EE 渗透测试与安全开发》](https://zhishihezi.net/b/98ae566719b21536dff0c4febaa697d2)@路人甲
- [ ] [《静态程序分析入门教程》](https://github.com/RangerNJU/Static-Program-Analysis-Book)
- [ ] [《Java代码审计文章集合》](https://www.cnblogs.com/r00tuser/p/10577571.html)@r00tuser
- [ ] https://github.com/su18/JDBC-Attack
- [ ] https://xz.aliyun.com/t/7945
- [ ] http://tttang.com/archive/1322
- [ ] https://teamssix.com/211115-165745.html
- [ ] https://teamssix.com/211115-123451.html
- [ ] https://github.com/dean2021/java_security_book
- [ ] https://github.com/yq1ng/Java
- [ ] https://github.com/wa1ki0g/javasec
- [ ] https://github.com/pen4uin/JavaSec
- [ ] https://github.com/javaparser/javaparser
- [ ] https://github.com/safe6Sec/JavaDeserialization
- [ ] https://github.com/ninthDevilHAUNSTER/JavaSecLearning
- [ ] https://github.com/Ghost2097221/javaweb_security_study_notes
- [ ] https://github.com/Cryin/JavaID
- [ ] https://paper.seebug.org/312
- [ ] https://tttang.com/archive/1337
- [ ] https://paper.seebug.org/1766
- [ ] https://github.com/p1n93r/javasec
- [ ] https://github.com/haby0/sec-note
- [ ] https://github.com/woodpecker-appstore/rmi-deserialization-vuldb
- [ ] https://github.com/4ra1n/JavaSecInterview
- [ ] https://github.com/4ra1n/FindShell
- [ ] https://github.com/pen4uin/java-security
- [ ] https://github.com/flowerwind/JspFinder
- [ ] https://github.com/TonyD0g/JavaHacker
- [ ] https://github.com/qtc-de/remote-method-guesser
- [ ] https://github.com/fynch3r/Gadgets
- [ ] https://tttang.com/archive/1405
- [ ] https://github.com/eugenp/tutorials
- [ ] https://github.com/Adrninistrator/java-all-call-graph
- [ ] https://github.com/KeenSecurityLab/BinAbsInspector
- [ ] https://github.com/R17a-17/JavaVulnSummary
- [ ] [红队java代码审计生命周期](https://xz.aliyun.com/t/11966)
- [ ] [记录一下 Java 安全学习历程](https://github.com/Drun1baby/JavaSecurityLearning)
- [ ] https://github.com/Er1cccc/ACAF
- [ ] https://github.com/cri1wa/MemShell
- [ ] https://github.com/Y4tacker/JavaSec
- [ ] https://xz.aliyun.com/t/12649
- [ ] https://xz.aliyun.com/t/12669

## 02-Java安全研究方向

**一、Web漏洞**
- [ ] 任意命令执行漏洞
- [ ] 任意文件上传漏洞
- [ ] 任意文件写入漏洞
- [ ] 任意文件包含漏洞
- [ ] 任意文件删除漏洞
- [ ] Java反序列化漏洞
- [ ] SQL注入漏洞
- [ ] 业务逻辑漏洞
- [ ] 变量覆盖漏洞
- [ ] 程序安装问题
- [ ] XSS漏洞
- [ ] XXE漏洞
- [ ] SSRF漏洞
- [ ] CSRF漏洞

**二、Java代码审计**
- [ ] https://github.com/ax1sX/SecurityList

**三、Java内存马**
- [ ] https://github.com/Getshell/Mshell

## 03-Java安全研究工具

工欲善其事必先利其器，此处收集整理Java代码审计的一些优秀工具！期待自己的代码审计工具能够早日发布！

**一、SAST**
- [ ] https://github.com/ASTTeam/SAST
- [ ] https://github.com/wooyunwang/Fortify
- [ ] https://github.com/FeeiCN/Cobra
- [ ] https://github.com/LoRexxar/Kunlun-M
- [ ] https://checkstyle.sourceforge.io
- [ ] https://github.com/j5s/XVulnFinder
- [ ] https://github.com/SummerSec/SPATool
- [ ] https://github.com/noidsirius/SootTutorial
- [ ] [Tencent Xcheck](https://cloud.tencent.com/product/asd)

**二、DAST**
- [ ] https://github.com/ASTTeam/DAST

**三、IAST**
- [ ] https://github.com/ASTTeam/IAST
- [ ] https://github.com/HXSecurity/DongTai

**四、CodeQL**
- [ ] https://github.com/ASTTeam/CodeQL

**五、RASP**
- [ ] https://github.com/0e0w/RASP

**六、JNDI**

- [ ] https://github.com/HackJava/JNDI
- [ ] https://github.com/bradfitz/jndi
- [ ] https://github.com/EmYiQing/LDAPKit
- [ ] https://github.com/su18/JNDI
- [ ] https://github.com/welk1n/JNDI-Injection-Exploit
- [ ] https://github.com/feihong-cs/JNDIExploit
- [ ] https://github.com/0x727/JNDIExploit
- [ ] https://github.com/veracode-research/rogue-jndi
- [ ] https://github.com/quentinhardy/jndiat
- [ ] https://github.com/p1n93r/AttackJNDI
- [ ] https://github.com/Jeromeyoung/JNDIExploit-1
- [ ] https://github.com/exp1orer/JNDI-Inject-Exploit
- [ ] https://github.com/zu1k/ldap-log
- [ ] https://github.com/orleven/Celestion

**七、ysoserial**
- [ ] https://github.com/wh1t3p1g/ysomap
- [ ] https://github.com/frohoff/ysoserial
- [ ] https://github.com/KpLi0rn/ysoserial
- [ ] https://github.com/Y4er/ysoserial
- [ ] https://github.com/0range228/Gadgets
- [ ] https://github.com/ikkisoft/SerialKiller
- [ ] https://github.com/5wimming/gadgetinspector
- [ ] https://github.com/threedr3am/gadgetinspector
- [ ] https://github.com/JackOfMostTrades/gadgetinspector
- [ ] https://github.com/Afant1/JavaSearchTools
- [ ] https://github.com/j1anFen/ysoserial_echo
- [ ] https://github.com/EmYiQing/ShortPayload

**八、Monitor**
- [ ] https://github.com/TheKingOfDuck/FileMonitor
- [ ] https://github.com/TheKingOfDuck/MySQLMonitor
- [ ] https://github.com/Lotus6/FileMonitor

**九、IDEA**
- [ ] https://github.com/XianYanTechnology/RocB
- [ ] https://github.com/momosecurity/momo-code-sec-inspector-java
- [ ] https://github.com/XmirrorSecurity/OpenSCA-intellij-plugin

**十、Others**
- [ ] https://github.com/MobSF/mobsfscan
- [ ] https://github.com/threedr3am/log-agent
- [ ] https://github.com/wh1t3p1g/tabby
- [ ] https://github.com/j5s/XVulnFinder
- [ ] https://github.com/EmYiQing/CodeInspector
- [ ] https://github.com/mtxiaowangzi/CAFJE
- [ ] https://github.com/returntocorp/semgrep
- [ ] https://github.com/cqkenuo/LingZhi
- [ ] https://github.com/blinkfox/stalker
- [ ] https://github.com/spotbugs/spotbugs
- [ ] https://github.com/SonarSource/sonarqube
- [ ] https://www.jarchitect.com
- [ ] https://github.com/eclipse/eclemma
- [ ] https://github.com/phith0n/zkar
- [ ] https://github.com/Firebasky/GoRmi
- [ ] https://github.com/LostZX/Kakaka
- [ ] https://github.com/jenkinsci/snyk-security-scanner-plugin
- [ ] https://github.com/secdec/attack-surface-detector-burp
- [ ] https://github.com/0Kee-Team/JavaProbe
- [ ] https://github.com/EmYiQing/SpringInspector
- [ ] https://github.com/whwlsfb/JDumpSpider
- [ ] https://github.com/Ppsoft1991/CodeReviewTools
- [ ] https://github.com/0nise/shell-plus
- [ ] https://github.com/4ra1n/SpringInspector
- [ ] https://github.com/GraxCode/cafecompare
- [ ] https://github.com/siberas/sjet
- [ ] https://github.com/4ra1n/accelerator
- [ ] https://github.com/hluwa/Wallbreaker
- [ ] https://github.com/4ra1n/code-inspector
- [ ] https://github.com/luelueking/ClazzSearcher

## 04-Java安全漏洞环境

此处收集整理Java安全漏洞研究的一些环境，包括Web环境，应用框架漏洞环境等。

- [ ] [WebBug-JavaEE编写的Web漏洞靶场](https://github.com/Mysticbinary/WebBug)@mysticbinary
- [ ] [WebGoat-一个故意不安全的应用程序](https://github.com/WebGoat/WebGoat)@WebGoat
- [ ] [JavaSecurity-Java Web漏洞演示程序](https://github.com/dschadow/JavaSecurity)@dschadow
- [ ] [Java-Web-Security-书籍完整代码示例](https://github.com/dschadow/Java-Web-Security)@dschadow
- [ ] [maobugs-Java 漏洞平台包含各种CVE演示](https://github.com/langligelang/maobugs)@langligelang
- [ ] [SecExample-Java漏洞靶场](https://github.com/tangxiaofeng7/SecExample)@tangxiaofeng7
- [ ] [java sec code-学习Java漏洞代码的项目](https://github.com/JoyChou93/java-sec-code)@JoyChou93
- [ ] [dvja-该死的易受攻击的 Java EE应用程序](https://github.com/appsecco/dvja)@appsecco
- [ ] [JavaVulnerableLab-易受攻击的Java Web应用程序](https://github.com/CSPF-Founder/JavaVulnerableLab)@CSPF-Founder
- [ ] [Java_deserialize_vuln_lab-Java反序列化学习的实验代码](https://github.com/bit4woo/Java_deserialize_vuln_lab)@bit4woo
- [ ] [Java-EE-VulnWeb用于演示的Java Web漏洞项目](https://github.com/mtxiaowangzi/Java-EE-VulnWeb)@mtxiaowangzi
- [ ] [Hello Java Sec-Java安全编码和代码审计](https://github.com/j3ers3/Hello-Java-Sec)@3ers3
- [ ] [javaweb codereview-演示java代码审计程序](https://github.com/iiiusky/javaweb-codereview)@iiiusky
- [ ] [sqlilab Jsp-jsp版sqlilab 1-21关](https://github.com/yhy0/sqlilab-Jsp)@yhy0
- [ ] [ShiroAndFastJson-shiro加fastjson环境](https://github.com/safe6Sec/ShiroAndFastJson)@safe6Sec
- [ ] [RMI 反序列化环境 一步步](https://github.com/lalajun/RMIDeserialize)@lalajun
- [ ] [mytestvul-一个用来做漏洞复现/验证的小框架](https://github.com/novysodope/mytestvul)@novysodope
- [ ] [JavaVulnerableLab circle-练习Java反序列化的最简单环境](https://github.com/pmiaowu/DeserializationTest)@pmiaowu
- [ ] [易受攻击的Java Web应用程序](https://github.com/Zhangyao-zzyy/JavaVulnerableLab-circle)@Zhangyao-zzyy
- [ ] https://github.com/l4yn3/micro_service_seclab
- [ ] https://github.com/GoSecure/goinsecure-deserialization
- [ ] https://gitee.com/cor0ps/java-range
- [ ] https://github.com/c0ny1/xxe-lab
- [ ] https://github.com/shanika04/Kura_XXE
- [ ] https://github.com/t0thkr1s/allsafe
- [ ] https://github.com/oversecured/ovaa
- [ ] https://github.com/jaiswalakshansh/Vuldroid
- [ ] https://github.com/baidu-security/openrasp-testcases
- [ ] https://github.com/cschneider4711/Marathon
- [ ] https://github.com/pmiaowu/RMITest
- [ ] https://github.com/OWASP-Benchmark/BenchmarkJava
- [ ] https://github.com/EmYiQing/CIDemo
- [ ] https://github.com/javaweb-sec/javaweb-vuls
- [ ] https://github.com/LandGrey/SpringBootVulExploit
- [ ] https://github.com/linjiananallnt/ElectricRat

## 05-Java安全漏洞修复

一、Java安全编码规范
- [x] [《Java安全编码标准》](https://developer.aliyun.com/article/175341)@计文柯
- [ ] [OWASP 安全编码规范](https://owasp.org/www-pdf-archive/OWASP_SCP_Quick_Reference_Guide_%28Chinese%29.pdf)
- [ ] [腾讯-Java安全编码规范](https://github.com/Tencent/secguide/blob/main/Java%E5%AE%89%E5%85%A8%E6%8C%87%E5%8D%97.md)
- [ ] [陌陌-Java安全编码规范](https://github.com/momosecurity/rhizobia_J)
- [ ] 华为-Java安全编码规范
- [ ] 绿盟-Java安全编码规范
- [ ] 奇安信-Java安全编码规范
- [ ] 软通动力-Java-Web安全开发规范
- [ ] [securitypaper-Java安全编码规范](https://www.securitypaper.org/2.sdl%E8%A7%84%E8%8C%83%E6%96%87%E6%A1%A3/3-java%E5%AE%89%E5%85%A8%E7%BC%96%E7%A0%81%E8%A7%84%E8%8C%83)

二、Java安全漏洞修复

## 06-Java高危应用框架

此处整理收集Java开发的普遍使用的程序：包括中间件、核心框架、底层库、重要应用系统等。待更新。

- [ ] [Log4j2](https://github.com/HackJava/Log4j2)
- [ ] [Shiro](https://github.com/HackJava/Shiro)
- [ ] [Weblogic](https://github.com/HackJava/Weblogic)
- [ ] MyBatis
- [ ] Spring

## 07-Java安全参考资源

本人在学习Java安全的过程中遇到了很多优秀的Java安全研究员，感谢这些研究者！排名不分先后。

- [ ] https://github.com/4ra1n
- [ ] https://github.com/phith0n
- [ ] https://github.com/su18
- [ ] https://github.com/welk1n
- [ ] https://github.com/threedr3am
- [ ] https://github.com/Y4er
- [ ] https://github.com/wh1t3p1g
- [ ] https://xz.aliyun.com/u/44415

## Stargazers

[![Stargazers @HackJava/HackJava](https://reporoster.com/stars/HackJava/HackJava)](https://github.com/HackJava/HackJava/stargazers)

## Forkers

[![Forkers @HackJava/HackJava](https://reporoster.com/forks/HackJava/HackJava)](https://github.com/HackJava/HackJava/network/members)

![](01-Java安全研究资源/TEMP/wx.png)

[![Stargazers over time](https://starchart.cc//HackJava/HackJava.svg)](https://starchart.cc/HackJava/HackJava)