[WEB SECURITY] Web App vulnerable to HQL Injection ?

Stephen de Vries stephen at continuumsecurity.net
Thu Feb 13 04:36:41 EST 2014

On 13 Feb 2014, at 10:16, Paul AMAR <aos.paul at gmail.com> wrote:
> Do you know any Web app vulnerable to HQL Injection ? 

Here’s one I wrote and use for internal testing: https://github.com/continuumsecurity/RopeyTasks/  there’s HQL injection in two of the Controllers, e.g.: https://github.com/continuumsecurity/RopeyTasks/blob/master/grails-app/controllers/net/continuumsecurity/ropeytasks/TaskController.groovy

Best to download grails and run it from there so you can play with the code.  If you run: grails war, you can then copy the resulting .war file to any servlet container like Tomcat, Jetty etc.

Disclaimer: this wasn’t really designed for public consumption, just for my internal testing, so it’s not as user friendly as DVWA and other vulnerable apps.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20140213/332094eb/attachment-0003.html>

More information about the websecurity mailing list