See the following subsections for a short description and the requirements to execute the sample code and launch the web application.

Web application using JavaServer Pages (JSP) to show the difference between output escaping via Enterprise Security API (ESAPI) and no output escaping at all. Use an input like *<script>alert('XSS')</script>* to examine the difference.

**Requirements:** Apache Tomcat, Webbrowser

Web application using JavaServer Faces (JSF) to demonstrate the two different possibilities to show user input in a web page with *#{contact.firstname}* and *<h:outputText value="#{contact.firstname}" />*. Use an input like *<script>alert('XSS')</script>* to examine the difference.

**Requirements:** Apache Tomcat, Webbrowser

Spring based web application using JavaServer Pages (JSP) to demonstrate the two different possibilities to show user input in a web page with *${contact.firstname}* and *<c:out value="${contact.firstname}" />*. Use an input like *<script>alert('XSS')</script>* to examine the difference.

**Requirements:** Apache Tomcat, Webbrowser

Web application using JavaServer Faces (JSF) to show the difference between using unprotected and protected Maps (with *IntegerAccessReferenceMaps* and *RandomAccessReferenceMaps*) with user data.

**Requirements:** Apache Tomcat, Webbrowser

Web application using a Servlet filter to add the *Strict-Transport-Security* header to each response.

**Requirements:** Apache Tomcat, Webbrowser

Web application invalidating an existing session and its session id before continuing the login process. This web application requires the included special *context.xml* configuration for Tomcat in order to display the current session id via JavaScript.

**Requirements:** Apache Tomcat, Webbrowser

Web application containing a complete *web.xml* configuration showing how to protect cookies and other session data. Contains only a start page which fails trying to show the session cookie in a JavaScript popup.

**Requirements:** Apache Tomcat, Webbrowser

Web application using user input to query a in-memory-database. The entered data is used as part of a normal *Statement*, an *escaped Statement*, a *Prepared Statement* and as input for a *Hibernate Query Language*.

**Requirements:** Apache Tomcat, Webbrowser

Web application using user input to query a simple XML document. The entered data (name and password) is used as part of a normal *XPath expression* without any escaping and escaped as part of another *XPath expression*. The unescaped version is prune to XPath Injection, which makes it possible to retrieve more data of the XML document as the intended order limit.

**Requirements:** Apache Tomcat, Webbrowser

Web application with three input processing servlets. One is unprotected and processes any input without input validation or output escaping and is prone to Cross-Site Scripting. The second servlet adds a minimal *Content-Security-Policy* header to the response and allows to use any source from the same page (URL). This already protects the response page from Cross-Site Scripting in supported browsers. The third form adds a *Content-Security-Policy-Report-Only* header and shows how easy the reported data can be processed.

**Requirements:** Apache Tomcat, Webbrowser

Web application to test the three XSS types *stored*, *reflected* and *DOM based*. The input textfield is vulnerable to XSS and can be easily protected by enabling output escaping. Cookie could be protected by removing the special *context.xml* and by setting the corresponding *web.xml* parameter.

This web application requires the included special *context.xml* configuration for Tomcat in order to display the current session id via JavaScript.

**Requirements:** Apache Tomcat, Webbrowser

Web application showing the differences between a blacklist and an ESAPI based request filtering. Use an input like *<script>alert('XSS')</script>* to see the different output on the output pages.

**Requirements:** Apache Tomcat, Webbrowser

JavaServer Faces (JSF) based web application accepting user input in two forms. The first form results into an output page showing the user input in drop down boxes and output text fields with all default attributes active. The second form results into an output page using the same output fields with any additional security related attribute set to the maximum. Use an input like *<script>alert('XSS')</script>* to challenge the JSF XSS protection.

**Requirements:** Apache Tomcat, Webbrowser

Web application showing Cross-Site Request Forgery (CSRF) with GET and POST requests and how to protect forms with an anti CSRF token. All requests on the **Unprotected Requests** page are successful and reach the backend as a normal request. The **Protected Requests** page contains successful (with token) and unsuccessful (without token) requests; only the valid requests are processed in the backend.

**Requirements:** Apache Tomcat, Webbrowser

[](https://travis-ci.org/dschadow/Java-Web-Security)

[](https://opensource.org/licenses/Apache-2.0)