This project aims at demonstrating various security vulnerabilities such as the ones listed in the OWASP Top10.
This project requires Maven 3 and Java Development Kit version 8. The project does not work with Java 9.
- Extract, configure and install Maven on your machine, in an appropriate location: https://maven.apache.org/install.html.
- Extract and install Java Development Kit on your machine, in an appropriate location e.g.
c:\Program Files (x86)\Java\
on Windows,/System/Library/Java/
on Mac OSX,/usr/java/
on Linux. - Configure the
JAVA_HOME
environment variable and path on your machine. Instructions here: WINDOWS, MAC, LINUX. - You may need to also configure the Path variable: https://www.java.com/en/download/help/path.xml
- Download the TicketMagpie-master project to your local machine and install to an appropriate location e.g
C:\Users\[username]\ticketmagpie
(on Windows). Make sure to rename ticketmagpie-master to ticketmagpie
Once you have configured and installed Maven and Java Development Kit and TicketMagpie, you can start the application by running this command from the root folder of the project:
mvn spring-boot:run
The application will then be available at localhost.
The application is published on the docker hub. You can run it like this, with the in-memory database:
docker run -e "SPRING_PROFILES_ACTIVE=hsqldb" -p8080:8080 "codecop/ticketmagpie"
The application will then be available at localhost.
By default, the application expects a MySQL database to be available on localhost, default port 3306.
The application will use the user root
to connect to a database called ticketmagpie
.
If you have MySQL or MariaDB installed, initially create the database with:
mysql -u root < src/main/resources/create-mysql-database.sql
If you have Docker installed, run the latest MySQL docker image with suitable configuration:
docker run -d -e MYSQL_ALLOW_EMPTY_PASSWORD=yes \
-e MYSQL_DATABASE=ticketmagpie -p 3306:3306 "mysql:latest"
You can pass custom database configuration as follows:
mvn spring-boot:run -Dspring.datasource.url=jdbc:mysql://MYSQL_SERVER:PORT/DB_NAME \
-Dspring.datasource.username=USER \
-Dspring.datasource.password=PASSWORD
If you do not have a database server, you can run the application with an HSQLDB in-memory database:
mvn spring-boot:run -Dspring.profiles.active=hsqldb
To send password recovery email you need to configure an SMTP server with credentials.
You can pass the email configuration as follows:
mvn spring-boot:run -Dmail.smtp.host=SMTP_SERVER \
-Dmail.smtp.port=587 \
[email protected] \
-Dmail.smtp.password=PASSWORD