From 34327d79f6fbe52ac52d232228a2d4f43a8926bb Mon Sep 17 00:00:00 2001
From: juegge <64655256+juegge@users.noreply.github.com>
Date: Thu, 5 Mar 2026 17:46:20 +0200
Subject: [PATCH 1/2] introduce sqli in forum.jsp
Reverted to using Statement for SQL insertion instead of PreparedStatement.
---
src/main/webapp/vulnerability/forum.jsp | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/main/webapp/vulnerability/forum.jsp b/src/main/webapp/vulnerability/forum.jsp
index 20434e1..e6383b5 100644
--- a/src/main/webapp/vulnerability/forum.jsp
+++ b/src/main/webapp/vulnerability/forum.jsp
@@ -45,13 +45,13 @@
{
Statement stmt = con.createStatement();
//Posting Content
- //stmt.executeUpdate("INSERT into posts(content,title,user) values ('"+content+"','"+title+"','"+user+"')");
- String sql = "INSERT into posts(content,title,user) values (?,?,?)"
- PreparedStatement prepStmt = con.preparedStatement(sql);
- prepStmt.setString(1,content);
- prepStmt.setString(2,title);
- prepStmt.setString(3,user);
- prepStmt.executeQuery();
+ stmt.executeUpdate("INSERT into posts(content,title,user) values ('"+content+"','"+title+"','"+user+"')");
+ //String sql = "INSERT into posts(content,title,user) values (?,?,?)"
+ //PreparedStatement prepStmt = con.preparedStatement(sql);
+ //prepStmt.setString(1,content);
+ //prepStmt.setString(2,title);
+ //prepStmt.setString(3,user);
+ //prepStmt.executeQuery();
out.print("Successfully posted");
}
}
From 002f89f520d68076a339ef1d291dbffe943b8ccf Mon Sep 17 00:00:00 2001
From: juegge <64655256+juegge@users.noreply.github.com>
Date: Thu, 5 Mar 2026 17:47:32 +0200
Subject: [PATCH 2/2] Downgrade Undertow core version to 2.0.9.Final
add sca vulns
---
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index 0f1478b..81b58d9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -49,7 +49,7 @@
io.undertow
undertow-core
- 2.3.22.Final
+ 2.0.9.Final
javax.servlet