A production-ready Spring Boot e-commerce application demonstrating all OWASP Top 10 2025 security vulnerabilities and their secure implementations.
- Spring Boot 3.2 backend with REST API
- Thymeleaf + TailwindCSS admin panel (server-side rendered)
- React + Vite customer-facing client
- All 10 OWASP 2025 vulnerabilities demonstrated with vulnerable AND secure endpoints
- JWT authentication for API, session-based for admin
- OpenAPI/Swagger documentation
- H2 in-memory database for easy demo
- Java 17+
- Node.js 18+
- Maven 3.8+ (or use included wrapper)
cd backend
./mvnw spring-boot:runcd frontend
npm install
npm run dev| URL | Description |
|---|---|
| http://localhost:8080/admin/dashboard | Admin Panel (Thymeleaf) |
| http://localhost:5173 | React Customer App |
| http://localhost:8080/swagger-ui.html | API Documentation |
| http://localhost:8080/h2-console | Database Console (username: sa, no password) |
| Role | Password | |
|---|---|---|
| Admin | admin@owasp.demo | Admin123! |
| Customer | john@example.com | Customer123! |
| Customer | jane@example.com | Customer123! |
| # | Vulnerability | Vulnerable Endpoint | Secure Implementation |
|---|---|---|---|
| A01 | Broken Access Control | /api/owasp/vulnerable/orders/{id} |
Owner verification in OrderService |
| A02 | Security Misconfiguration | /api/owasp/vulnerable/config |
Minimal exposure in SecurityConfig |
| A03 | Supply Chain Failures | Dependency management | Version pinning in pom.xml |
| A04 | Cryptographic Failures | /api/owasp/vulnerable/users/{id} |
BCrypt + DTO filtering |
| A05 | Injection | /api/owasp/vulnerable/products/search |
Parameterized queries |
| A06 | Insecure Design | No rate limiting | Account lockout after 5 fails |
| A07 | Authentication Failures | Weak passwords allowed | Strong password policy |
| A08 | Integrity Failures | - | Signed JWT, CSRF protection |
| A09 | Logging Failures | - | AuditLogService + Security logs |
| A10 | Exception Handling | /api/owasp/vulnerable/error-demo |
GlobalExceptionHandler |
owasp-ecommerce/
├── backend/ # Spring Boot 3.2 application
│ ├── src/main/java/com/owasp/ecommerce/
│ │ ├── config/ # Security, CORS, Data initialization
│ │ ├── controller/
│ │ │ ├── api/ # REST API endpoints
│ │ │ └── admin/ # Thymeleaf admin controllers
│ │ ├── dto/ # Data Transfer Objects
│ │ ├── exception/ # Global exception handling
│ │ ├── model/ # JPA entities
│ │ ├── repository/ # Spring Data repositories
│ │ ├── security/ # JWT, authentication
│ │ ├── service/ # Business logic
│ │ └── owasp/ # OWASP demo endpoints
│ │ ├── vulnerable/ # ⚠️ Vulnerable implementations
│ │ └── secure/ # ✅ Secure implementations
│ └── src/main/resources/
│ ├── templates/ # Thymeleaf templates
│ └── application.yml # Configuration
├── frontend/ # React + Vite application
│ └── src/
│ ├── components/ # Navbar, ProductCard, etc.
│ ├── pages/ # Home, Cart, Checkout, Orders
│ ├── context/ # AuthContext, CartContext
│ └── services/ # API client (axios)
└── docs/
├── OWASP_TUTORIAL.md # Comprehensive OWASP tutorial
└── owasp/ # Additional OWASP documentation
For a comprehensive tutorial explaining each OWASP vulnerability with attack scenarios, vulnerable vs. secure code comparisons, and mitigation strategies, see:
- BCrypt password hashing (cost factor 12)
- JWT authentication with proper signing
- CSRF protection for session-based auth
- Security headers (CSP, X-Frame-Options, etc.)
- Account lockout after failed attempts
- Comprehensive audit logging
- Input validation with Bean Validation
- Parameterized queries preventing SQL injection
The API is documented with OpenAPI 3.0. Access:
- Swagger UI: http://localhost:8080/swagger-ui.html
- OpenAPI JSON: http://localhost:8080/api-docs
The vulnerable endpoints are for educational purposes only. They are:
- Protected by
owasp.demo.vulnerable-endpoints-enabled=trueconfig - Should be disabled in production
- Used to demonstrate real-world vulnerabilities
MIT License - Educational use only.