文档手册
欺骗的艺术
Web安全渗透剖析
Web应用漏洞侦测与防御
无线网络安全攻防实战进阶
论PHP常见的漏洞
Android 渗透测试手册
Python高级与网络编程
Nmap参考指南
Wireshark 用户手册
Web Hacking 101 中文版
渗透测试学习手册(中文)
浅入浅出Android安全
全网最强渗透知识库HackTricks
The Hacker Recipes(红队技巧手册)
Pentest Book(渗透测试权威指南)
RedTeam2.0(红队笔记)
AD域渗透专项英文参考
C2Matrix(C2工具大全)
OSCP备考笔记
Hack The Box OSCP Preparation
Micro8技术笔记
攻防实录:渗透测试从0-1
WIN系统安全加固手册
应急响应手册在线阅读
WebShell免杀PHP手册
简要基础命令速查笔记
Java安全知识体系合集
Go安全知识体系合集
Go安全开发逆向结合
Web3区块链安全合集
PHP安全知识体系合集
云安全方向的知识文库
CTF从入门到快速放弃
Cobalt Strike使用手册
区块链黑暗森林自救手册
小迪安全知识库
-
+
首页
Java安全知识体系合集
Java安全知识体系合集
项目地址:https://github.com/HackJava/HackJava 本项目是记录自己在学习研究Java安全过程中遇到的优秀资源,包括Java安全的多个细分领域,如Java漏洞分析和Java代码审计以及Java开发的应用程序组件协议甚至Java本身的安全问题等。一个不能攻击Java的黑客不是一个好黑客,一个不懂Java安全的师傅不是一个好师傅!深入理解Java安全,拯救宇宙!作者:[0e0w](https://github.com/0e0w) 本项目创建于2021年7月8日,最近的一次更新时间为2023年8月4日。本项目会持续更新,直到海枯石烂。 * [01-Java安全研究资源](https://github.com/HackJava/HackJava#01-java%E5%AE%89%E5%85%A8%E7%A0%94%E7%A9%B6%E8%B5%84%E6%BA%90) * [02-Java安全研究方向](https://github.com/HackJava/HackJava#02-java%E5%AE%89%E5%85%A8%E7%A0%94%E7%A9%B6%E6%96%B9%E5%90%91) * [03-Java安全研究工具](https://github.com/HackJava/HackJava#03-java%E5%AE%89%E5%85%A8%E7%A0%94%E7%A9%B6%E5%B7%A5%E5%85%B7) * [04-Java安全漏洞环境](https://github.com/HackJava/HackJava#04-java%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E%E7%8E%AF%E5%A2%83) * [05-Java安全漏洞修复](https://github.com/HackJava/HackJava#05-java%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E%E4%BF%AE%E5%A4%8D) * [06-Java安全高危应用](https://github.com/HackJava/HackJava#06-java%E5%AE%89%E5%85%A8%E9%AB%98%E5%8D%B1%E5%BA%94%E7%94%A8) * [07-Java安全参考资源](https://github.com/HackJava/HackJava#07-java%E5%AE%89%E5%85%A8%E5%8F%82%E8%80%83%E8%B5%84%E6%BA%90) ## 01-Java安全研究资源 [](https://github.com/HackJava/HackJava#01-java%E5%AE%89%E5%85%A8%E7%A0%94%E7%A9%B6%E8%B5%84%E6%BA%90) **一、书籍资料** * [《Java代码审计-入门篇》](https://item.jd.com/10033832360716.html)@陈俊杰等 * [《Java代码审计实战》](https://item.jd.com/13466996.html)@高昌盛等 * [《Java安全编码标准》](https://book.douban.com/subject/24846041)@计文柯译 * [《Java安全性编程指南》](https://github.com/HackJava/HackJava/blob/main)@庞南 * [《Java安全》](https://github.com/HackJava/HackJava/blob/main)@奥克斯 * [《Java编码指南》](https://www.amazon.co.uk/%E7%BC%96%E5%86%99%E5%AE%89%E5%85%A8%E5%8F%AF%E9%9D%A0%E7%A8%8B%E5%BA%8F%E7%9A%8475%E6%9D%A1%E5%BB%BA%E8%AE%AE%EF%BC%88%E8%8B%B1%E6%96%87%E7%89%88%EF%BC%89-%E5%BE%B7%E9%B2%81%C2%B7%E8%8E%AB%E6%AC%A3%E8%BE%BE%EF%BC%88Dhruv-C-%E8%A5%BF%E7%A7%91%E5%BE%B7%EF%BC%88Robert-F-%E8%90%A8%E7%91%9F%E5%85%B0%EF%BC%88Dean-%E5%BC%97%E9%9B%B7%E5%BE%B7%C2%B7%E6%9C%97%EF%BC%88Fred/dp/B017WGUFKO)@刘先宁 * [《Java-Web-Security》](https://play.google.com/store/books/details/Java_Web_Security_Sichere_Webanwendungen_mit_Java_?id=ZxZ4DwAAQBAJ&hl=en_US&gl=US)@Dominik Schadow **二、基础教程** * [《Java Web安全-代码审计》](https://github.com/javaweb-sec/javaweb-sec)@凌天实验室 * [《Java安全漫谈笔记相关内容》](https://github.com/phith0n/JavaThings)@phith0n * [《Java代码审计学习笔记》](https://github.com/proudwind/javasec_study)@proudwind * [《Java漏洞学习笔记》](https://github.com/SummerSec/JavaLearnVulnerability)@SummerSec * [《代码审计入门小项目》](https://github.com/cn-panda/JavaCodeAudit)@cn-panda * [《自学Java安全总结》](https://github.com/Maskhe/javasec)@Maskhe * [《攻击Java Web应用》](https://github.com/March110/javaweb-sec)@安百科技 * [《Java RCE 回显测试代码》](https://github.com/feihong-cs/Java-Rce-Echo)@feihong * [《Java反序列化技术分享》](https://github.com/Y4er/WebLogic-Shiro-shell)@Y4er * [《Java代码审计总结》](https://github.com/huyuanzhi2/CodeReview)@huyuanzhi2 * [《代码审计知识点整理-Java》](https://github.com/7hang/--Java)@7hang * [《Java代码审计案例》](https://github.com/5huai/POC-Test)@5huai * [《Java安全和Java框架漏洞》](https://github.com/Firebasky/Java)@Firebasky * [《Java安全相关的漏洞和技术demo》](https://github.com/threedr3am/learnjavabug)@threedr3am * [《跟我一起JAVA代码审计》](https://www.freebuf.com/column/1289)@0neOfU4 * [《告别脚本小子系列丨JAVA安全》](https://mp.weixin.qq.com/s/oEI1GLJKSoSLxMcAhFFWKQ)@烽火台实验室 **三、视频教程** * [《MS08067安全实验室》](https://space.bilibili.com/396298765?spm_id_from=333.788.b_765f7570696e666f.2)@MS08067 * [《Java代码审计系列课程》](https://edu.51cto.com/course/27875.html)@Hack\_Man * [《Java代码审计课程》](https://www.learnfuture.com/study/ist126v)@嘉为教育 * [《宽字节安全 JAVA安全线上进阶课程》](https://www.cnblogs.com/unicodeSec/p/15062087.html)@宽字节 * [《Securing Java Web Applications》](https://www.pluralsight.com/courses/java-web-application-security-vulnerabilities)@Josh Cummings * [https://space.bilibili.com/2142877265](https://space.bilibili.com/2142877265) **四、培训演讲** **五、专利文献** * [一种基于java的web动态安全漏洞检测方法](https://patents.google.com/patent/CN103699480B/zh)@安恒 **六、其他资源** * [https://github.com/topics/static-analysis?l=java](https://github.com/topics/static-analysis?l=java) * [《攻击Java Web应用》](https://zhishihezi.net/b/5d644b6f81cbc9e40460fe7eea3c7925)@javasec * [《J2EE 渗透测试与安全开发》](https://zhishihezi.net/b/98ae566719b21536dff0c4febaa697d2)@路人甲 * [《静态程序分析入门教程》](https://github.com/RangerNJU/Static-Program-Analysis-Book) * [《Java代码审计文章集合》](https://www.cnblogs.com/r00tuser/p/10577571.html)@r00tuser * [https://github.com/su18/JDBC-Attack](https://github.com/su18/JDBC-Attack) * [https://xz.aliyun.com/t/7945](https://xz.aliyun.com/t/7945) * [http://tttang.com/archive/1322](http://tttang.com/archive/1322) * [https://teamssix.com/211115-165745.html](https://teamssix.com/211115-165745.html) * [https://teamssix.com/211115-123451.html](https://teamssix.com/211115-123451.html) * [https://github.com/dean2021/java\_security\_book](https://github.com/dean2021/java_security_book) * [https://github.com/yq1ng/Java](https://github.com/yq1ng/Java) * [https://github.com/wa1ki0g/javasec](https://github.com/wa1ki0g/javasec) * [https://github.com/pen4uin/JavaSec](https://github.com/pen4uin/JavaSec) * [https://github.com/javaparser/javaparser](https://github.com/javaparser/javaparser) * [https://github.com/safe6Sec/JavaDeserialization](https://github.com/safe6Sec/JavaDeserialization) * [https://github.com/ninthDevilHAUNSTER/JavaSecLearning](https://github.com/ninthDevilHAUNSTER/JavaSecLearning) * [https://github.com/Ghost2097221/javaweb\_security\_study\_notes](https://github.com/Ghost2097221/javaweb_security_study_notes) * [https://github.com/Cryin/JavaID](https://github.com/Cryin/JavaID) * [https://paper.seebug.org/312](https://paper.seebug.org/312) * [https://tttang.com/archive/1337](https://tttang.com/archive/1337) * [https://paper.seebug.org/1766](https://paper.seebug.org/1766) * [https://github.com/p1n93r/javasec](https://github.com/p1n93r/javasec) * [https://github.com/haby0/sec-note](https://github.com/haby0/sec-note) * [https://github.com/woodpecker-appstore/rmi-deserialization-vuldb](https://github.com/woodpecker-appstore/rmi-deserialization-vuldb) * [https://github.com/4ra1n/JavaSecInterview](https://github.com/4ra1n/JavaSecInterview) * [https://github.com/4ra1n/FindShell](https://github.com/4ra1n/FindShell) * [https://github.com/pen4uin/java-security](https://github.com/pen4uin/java-security) * [https://github.com/flowerwind/JspFinder](https://github.com/flowerwind/JspFinder) * [https://github.com/TonyD0g/JavaHacker](https://github.com/TonyD0g/JavaHacker) * [https://github.com/qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) * [https://github.com/fynch3r/Gadgets](https://github.com/fynch3r/Gadgets) * [https://tttang.com/archive/1405](https://tttang.com/archive/1405) * [https://github.com/eugenp/tutorials](https://github.com/eugenp/tutorials) * [https://github.com/Adrninistrator/java-all-call-graph](https://github.com/Adrninistrator/java-all-call-graph) * [https://github.com/KeenSecurityLab/BinAbsInspector](https://github.com/KeenSecurityLab/BinAbsInspector) * [https://github.com/R17a-17/JavaVulnSummary](https://github.com/R17a-17/JavaVulnSummary) * [红队java代码审计生命周期](https://xz.aliyun.com/t/11966) * [记录一下 Java 安全学习历程](https://github.com/Drun1baby/JavaSecurityLearning) * [https://github.com/Er1cccc/ACAF](https://github.com/Er1cccc/ACAF) * [https://github.com/cri1wa/MemShell](https://github.com/cri1wa/MemShell) * [https://github.com/Y4tacker/JavaSec](https://github.com/Y4tacker/JavaSec) * [https://xz.aliyun.com/t/12649](https://xz.aliyun.com/t/12649) * [https://xz.aliyun.com/t/12669](https://xz.aliyun.com/t/12669) ## 02-Java安全研究方向 [](https://github.com/HackJava/HackJava#02-java%E5%AE%89%E5%85%A8%E7%A0%94%E7%A9%B6%E6%96%B9%E5%90%91) **一、Web漏洞** * 任意命令执行漏洞 * 任意文件上传漏洞 * 任意文件写入漏洞 * 任意文件包含漏洞 * 任意文件删除漏洞 * Java反序列化漏洞 * SQL注入漏洞 * 业务逻辑漏洞 * 变量覆盖漏洞 * 程序安装问题 * XSS漏洞 * XXE漏洞 * SSRF漏洞 * CSRF漏洞 **二、Java代码审计** * [https://github.com/ax1sX/SecurityList](https://github.com/ax1sX/SecurityList) **三、Java内存马** * [https://github.com/Getshell/Mshell](https://github.com/Getshell/Mshell) ## 03-Java安全研究工具 [](https://github.com/HackJava/HackJava#03-java%E5%AE%89%E5%85%A8%E7%A0%94%E7%A9%B6%E5%B7%A5%E5%85%B7) 工欲善其事必先利其器,此处收集整理Java代码审计的一些优秀工具!期待自己的代码审计工具能够早日发布! **一、SAST** * [https://github.com/ASTTeam/SAST](https://github.com/ASTTeam/SAST) * [https://github.com/wooyunwang/Fortify](https://github.com/wooyunwang/Fortify) * [https://github.com/FeeiCN/Cobra](https://github.com/FeeiCN/Cobra) * [https://github.com/LoRexxar/Kunlun-M](https://github.com/LoRexxar/Kunlun-M) * [https://checkstyle.sourceforge.io](https://checkstyle.sourceforge.io/) * [https://github.com/j5s/XVulnFinder](https://github.com/j5s/XVulnFinder) * [https://github.com/SummerSec/SPATool](https://github.com/SummerSec/SPATool) * [https://github.com/noidsirius/SootTutorial](https://github.com/noidsirius/SootTutorial) * [Tencent Xcheck](https://cloud.tencent.com/product/asd) **二、DAST** * [https://github.com/ASTTeam/DAST](https://github.com/ASTTeam/DAST) **三、IAST** * [https://github.com/ASTTeam/IAST](https://github.com/ASTTeam/IAST) * [https://github.com/HXSecurity/DongTai](https://github.com/HXSecurity/DongTai) **四、CodeQL** * [https://github.com/ASTTeam/CodeQL](https://github.com/ASTTeam/CodeQL) **五、RASP** * [https://github.com/0e0w/RASP](https://github.com/0e0w/RASP) **六、JNDI** * [https://github.com/HackJava/JNDI](https://github.com/HackJava/JNDI) * [https://github.com/bradfitz/jndi](https://github.com/bradfitz/jndi) * [https://github.com/EmYiQing/LDAPKit](https://github.com/EmYiQing/LDAPKit) * [https://github.com/su18/JNDI](https://github.com/su18/JNDI) * [https://github.com/welk1n/JNDI-Injection-Exploit](https://github.com/welk1n/JNDI-Injection-Exploit) * [https://github.com/feihong-cs/JNDIExploit](https://github.com/feihong-cs/JNDIExploit) * [https://github.com/0x727/JNDIExploit](https://github.com/0x727/JNDIExploit) * [https://github.com/veracode-research/rogue-jndi](https://github.com/veracode-research/rogue-jndi) * [https://github.com/quentinhardy/jndiat](https://github.com/quentinhardy/jndiat) * [https://github.com/p1n93r/AttackJNDI](https://github.com/p1n93r/AttackJNDI) * [https://github.com/Jeromeyoung/JNDIExploit-1](https://github.com/Jeromeyoung/JNDIExploit-1) * [https://github.com/exp1orer/JNDI-Inject-Exploit](https://github.com/exp1orer/JNDI-Inject-Exploit) * [https://github.com/zu1k/ldap-log](https://github.com/zu1k/ldap-log) * [https://github.com/orleven/Celestion](https://github.com/orleven/Celestion) **七、ysoserial** * [https://github.com/wh1t3p1g/ysomap](https://github.com/wh1t3p1g/ysomap) * [https://github.com/frohoff/ysoserial](https://github.com/frohoff/ysoserial) * [https://github.com/KpLi0rn/ysoserial](https://github.com/KpLi0rn/ysoserial) * [https://github.com/Y4er/ysoserial](https://github.com/Y4er/ysoserial) * [https://github.com/0range228/Gadgets](https://github.com/0range228/Gadgets) * [https://github.com/ikkisoft/SerialKiller](https://github.com/ikkisoft/SerialKiller) * [https://github.com/5wimming/gadgetinspector](https://github.com/5wimming/gadgetinspector) * [https://github.com/threedr3am/gadgetinspector](https://github.com/threedr3am/gadgetinspector) * [https://github.com/JackOfMostTrades/gadgetinspector](https://github.com/JackOfMostTrades/gadgetinspector) * [https://github.com/Afant1/JavaSearchTools](https://github.com/Afant1/JavaSearchTools) * [https://github.com/j1anFen/ysoserial\_echo](https://github.com/j1anFen/ysoserial_echo) * [https://github.com/EmYiQing/ShortPayload](https://github.com/EmYiQing/ShortPayload) **八、Monitor** * [https://github.com/TheKingOfDuck/FileMonitor](https://github.com/TheKingOfDuck/FileMonitor) * [https://github.com/TheKingOfDuck/MySQLMonitor](https://github.com/TheKingOfDuck/MySQLMonitor) * [https://github.com/Lotus6/FileMonitor](https://github.com/Lotus6/FileMonitor) **九、IDEA** * [https://github.com/XianYanTechnology/RocB](https://github.com/XianYanTechnology/RocB) * [https://github.com/momosecurity/momo-code-sec-inspector-java](https://github.com/momosecurity/momo-code-sec-inspector-java) * [https://github.com/XmirrorSecurity/OpenSCA-intellij-plugin](https://github.com/XmirrorSecurity/OpenSCA-intellij-plugin) **十、Others** * [https://github.com/MobSF/mobsfscan](https://github.com/MobSF/mobsfscan) * [https://github.com/threedr3am/log-agent](https://github.com/threedr3am/log-agent) * [https://github.com/wh1t3p1g/tabby](https://github.com/wh1t3p1g/tabby) * [https://github.com/j5s/XVulnFinder](https://github.com/j5s/XVulnFinder) * [https://github.com/EmYiQing/CodeInspector](https://github.com/EmYiQing/CodeInspector) * [https://github.com/mtxiaowangzi/CAFJE](https://github.com/mtxiaowangzi/CAFJE) * [https://github.com/returntocorp/semgrep](https://github.com/returntocorp/semgrep) * [https://github.com/cqkenuo/LingZhi](https://github.com/cqkenuo/LingZhi) * [https://github.com/blinkfox/stalker](https://github.com/blinkfox/stalker) * [https://github.com/spotbugs/spotbugs](https://github.com/spotbugs/spotbugs) * [https://github.com/SonarSource/sonarqube](https://github.com/SonarSource/sonarqube) * [https://www.jarchitect.com](https://www.jarchitect.com/) * [https://github.com/eclipse/eclemma](https://github.com/eclipse/eclemma) * [https://github.com/phith0n/zkar](https://github.com/phith0n/zkar) * [https://github.com/Firebasky/GoRmi](https://github.com/Firebasky/GoRmi) * [https://github.com/LostZX/Kakaka](https://github.com/LostZX/Kakaka) * [https://github.com/jenkinsci/snyk-security-scanner-plugin](https://github.com/jenkinsci/snyk-security-scanner-plugin) * [https://github.com/secdec/attack-surface-detector-burp](https://github.com/secdec/attack-surface-detector-burp) * [https://github.com/0Kee-Team/JavaProbe](https://github.com/0Kee-Team/JavaProbe) * [https://github.com/EmYiQing/SpringInspector](https://github.com/EmYiQing/SpringInspector) * [https://github.com/whwlsfb/JDumpSpider](https://github.com/whwlsfb/JDumpSpider) * [https://github.com/Ppsoft1991/CodeReviewTools](https://github.com/Ppsoft1991/CodeReviewTools) * [https://github.com/0nise/shell-plus](https://github.com/0nise/shell-plus) * [https://github.com/4ra1n/SpringInspector](https://github.com/4ra1n/SpringInspector) * [https://github.com/GraxCode/cafecompare](https://github.com/GraxCode/cafecompare) * [https://github.com/siberas/sjet](https://github.com/siberas/sjet) * [https://github.com/4ra1n/accelerator](https://github.com/4ra1n/accelerator) * [https://github.com/hluwa/Wallbreaker](https://github.com/hluwa/Wallbreaker) * [https://github.com/4ra1n/code-inspector](https://github.com/4ra1n/code-inspector) * [https://github.com/luelueking/ClazzSearcher](https://github.com/luelueking/ClazzSearcher) ## 04-Java安全漏洞环境 [](https://github.com/HackJava/HackJava#04-java%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E%E7%8E%AF%E5%A2%83) 此处收集整理Java安全漏洞研究的一些环境,包括Web环境,应用框架漏洞环境等。 * [WebBug-JavaEE编写的Web漏洞靶场](https://github.com/Mysticbinary/WebBug)@mysticbinary * [WebGoat-一个故意不安全的应用程序](https://github.com/WebGoat/WebGoat)@WebGoat * [JavaSecurity-Java Web漏洞演示程序](https://github.com/dschadow/JavaSecurity)@dschadow * [Java-Web-Security-书籍完整代码示例](https://github.com/dschadow/Java-Web-Security)@dschadow * [maobugs-Java 漏洞平台包含各种CVE演示](https://github.com/langligelang/maobugs)@langligelang * [SecExample-Java漏洞靶场](https://github.com/tangxiaofeng7/SecExample)@tangxiaofeng7 * [java sec code-学习Java漏洞代码的项目](https://github.com/JoyChou93/java-sec-code)@JoyChou93 * [dvja-该死的易受攻击的 Java EE应用程序](https://github.com/appsecco/dvja)@appsecco * [JavaVulnerableLab-易受攻击的Java Web应用程序](https://github.com/CSPF-Founder/JavaVulnerableLab)@CSPF-Founder * [Java\_deserialize\_vuln\_lab-Java反序列化学习的实验代码](https://github.com/bit4woo/Java_deserialize_vuln_lab)@bit4woo * [Java-EE-VulnWeb用于演示的Java Web漏洞项目](https://github.com/mtxiaowangzi/Java-EE-VulnWeb)@mtxiaowangzi * [Hello Java Sec-Java安全编码和代码审计](https://github.com/j3ers3/Hello-Java-Sec)@3ers3 * [javaweb codereview-演示java代码审计程序](https://github.com/iiiusky/javaweb-codereview)@iiiusky * [sqlilab Jsp-jsp版sqlilab 1-21关](https://github.com/yhy0/sqlilab-Jsp)@yhy0 * [ShiroAndFastJson-shiro加fastjson环境](https://github.com/safe6Sec/ShiroAndFastJson)@safe6Sec * [RMI 反序列化环境 一步步](https://github.com/lalajun/RMIDeserialize)@lalajun * [mytestvul-一个用来做漏洞复现/验证的小框架](https://github.com/novysodope/mytestvul)@novysodope * [JavaVulnerableLab circle-练习Java反序列化的最简单环境](https://github.com/pmiaowu/DeserializationTest)@pmiaowu * [易受攻击的Java Web应用程序](https://github.com/Zhangyao-zzyy/JavaVulnerableLab-circle)@Zhangyao-zzyy * [https://github.com/l4yn3/micro\_service\_seclab](https://github.com/l4yn3/micro_service_seclab) * [https://github.com/GoSecure/goinsecure-deserialization](https://github.com/GoSecure/goinsecure-deserialization) * [https://gitee.com/cor0ps/java-range](https://gitee.com/cor0ps/java-range) * [https://github.com/c0ny1/xxe-lab](https://github.com/c0ny1/xxe-lab) * [https://github.com/shanika04/Kura\_XXE](https://github.com/shanika04/Kura_XXE) * [https://github.com/t0thkr1s/allsafe](https://github.com/t0thkr1s/allsafe) * [https://github.com/oversecured/ovaa](https://github.com/oversecured/ovaa) * [https://github.com/jaiswalakshansh/Vuldroid](https://github.com/jaiswalakshansh/Vuldroid) * [https://github.com/baidu-security/openrasp-testcases](https://github.com/baidu-security/openrasp-testcases) * [https://github.com/cschneider4711/Marathon](https://github.com/cschneider4711/Marathon) * [https://github.com/pmiaowu/RMITest](https://github.com/pmiaowu/RMITest) * [https://github.com/OWASP-Benchmark/BenchmarkJava](https://github.com/OWASP-Benchmark/BenchmarkJava) * [https://github.com/EmYiQing/CIDemo](https://github.com/EmYiQing/CIDemo) * [https://github.com/javaweb-sec/javaweb-vuls](https://github.com/javaweb-sec/javaweb-vuls) * [https://github.com/LandGrey/SpringBootVulExploit](https://github.com/LandGrey/SpringBootVulExploit) * [https://github.com/linjiananallnt/ElectricRat](https://github.com/linjiananallnt/ElectricRat) ## 05-Java安全漏洞修复 [](https://github.com/HackJava/HackJava#05-java%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E%E4%BF%AE%E5%A4%8D) 一、Java安全编码规范 * [《Java安全编码标准》](https://developer.aliyun.com/article/175341)@计文柯 * [OWASP 安全编码规范](https://owasp.org/www-pdf-archive/OWASP_SCP_Quick_Reference_Guide_%28Chinese%29.pdf) * [腾讯-Java安全编码规范](https://github.com/Tencent/secguide/blob/main/Java%E5%AE%89%E5%85%A8%E6%8C%87%E5%8D%97.md) * [陌陌-Java安全编码规范](https://github.com/momosecurity/rhizobia_J) * 华为-Java安全编码规范 * 绿盟-Java安全编码规范 * 奇安信-Java安全编码规范 * 软通动力-Java-Web安全开发规范 * [securitypaper-Java安全编码规范](https://www.securitypaper.org/2.sdl%E8%A7%84%E8%8C%83%E6%96%87%E6%A1%A3/3-java%E5%AE%89%E5%85%A8%E7%BC%96%E7%A0%81%E8%A7%84%E8%8C%83) 二、Java安全漏洞修复 ## 06-Java高危应用框架 [](https://github.com/HackJava/HackJava#06-java%E9%AB%98%E5%8D%B1%E5%BA%94%E7%94%A8%E6%A1%86%E6%9E%B6) 此处整理收集Java开发的普遍使用的程序:包括中间件、核心框架、底层库、重要应用系统等。待更新。 * [Log4j2](https://github.com/HackJava/Log4j2) * [Shiro](https://github.com/HackJava/Shiro) * [Weblogic](https://github.com/HackJava/Weblogic) * MyBatis * Spring ## 07-Java安全参考资源 [](https://github.com/HackJava/HackJava#07-java%E5%AE%89%E5%85%A8%E5%8F%82%E8%80%83%E8%B5%84%E6%BA%90) 本人在学习Java安全的过程中遇到了很多优秀的Java安全研究员,感谢这些研究者!排名不分先后。 * [https://github.com/4ra1n](https://github.com/4ra1n) * [https://github.com/phith0n](https://github.com/phith0n) * [https://github.com/su18](https://github.com/su18) * [https://github.com/welk1n](https://github.com/welk1n) * [https://github.com/threedr3am](https://github.com/threedr3am) * [https://github.com/Y4er](https://github.com/Y4er) * [https://github.com/wh1t3p1g](https://github.com/wh1t3p1g) * [https://xz.aliyun.com/u/44415](https://xz.aliyun.com/u/44415)
xiaodi
2026年4月30日 15:56
0 条评论
转发
收藏文档
上一篇
下一篇
手机扫码
复制链接
手机扫一扫转发分享
复制链接
分享
链接
类型
密码
更新密码
有效期
Markdown文件
Word文件
PDF文档
PDF文档(打印)