security - What are common Java vulnerabilities? - Stack Overflow
known vulnerabilities - Vulnerable Java applications? - Information Security Stack Exchange
Secure Coding Practices in Java Resources
Collection of vulnerable code snippets (updated every friday)
Videos
Malicious Code injection.
Because Java (or any language using an interpreter at runtime), performs linkage at runtime, it is possible to replace the expected JARs (the equivalent of DLLs and SOs) with malicious ones at runtime.
This is a vulnerability, which is combated since the first release of Java, using various mechanisms.
- There are protections in places in the classloaders to ensure that java.* classes cannot be loaded from outside rt.jar (the runtime jar).
- Additionally, security policies can be put in place to ensure that classes loaded from different sources are restricted to performing only a certain set of actions - the most obvious example is that of applets. Applets are constrained by the Java security policy model from reading or writing the file system etc; signed applets can request for certain permissions.
- JARs can also be signed, and these signatures can be verified at runtime when they're loaded.
- Packages can also be sealed to ensure that they come from the same codesource. This prevents an attacker from placing classes into your package, but capable of performing 'malicious' operations.
If you want to know why all of this is important, imagine a JDBC driver injected into the classpath that is capable of transmitting all SQL statements and their results to a remote third party. Well, I assume you get the picture now.
After reading most of the responses I think your question has been answered in an indirect way. I just wanted to point this out directly. Java doesn't suffer from the same problems you see in C/C++ because it protects the developer from these types of memory attacks (buffer overflow, heap overflow, etc). Those things can't happen. Because there is this fundamental protection in the language security vulnerabilities have moved up the stack.
They're now occurring at a higher level. SQL injection, XSS, DOS, etc. You could figure out a way to get Java to remotely load malicious code, but to do that would mean you'd need to exploit some other vulnerability at the services layer to remotely push code into a directory then trigger Java to load through a classloader. Remote attacks are theoretically possible, but with Java it's more complicated to exploit. And often if you can exploit some other vulnerability then why not just go after and cut java out of the loop. World writable directories where java code is loaded from could be used against you. But at this point is it really Java that's the problem or your sys admin or the vendor of some other service that is exploitable?
The only vulnerabilities that pose remote code potential I've seen in Java over the years have been from native code the VM loads. The libzip vulnerability, the gif file parsing, etc. And that's only been a handful of problems. Maybe one every 2-3 years. And again the vuln is native code loaded by the JVM not in Java code.
As a language Java is very secure. Even these issues I discussed that can be theoretically attacked have hooks in the platform to prevent them. Signing code thwarts most of this. However, very few Java programs run with a Security Manager installed. Mainly because of performance, usability, but mainly because these vulns are very limited in scope at best. Remote code loading in Java hasn't risen to epidemic levels that buffer overflows did in the late 90s/2000s for C/C++.
Java isn't bullet proof as a platform, but it's harder to exploit than the other fruit on the tree. And hackers are opportunistic and go for that low hanging fruit.
If you are new to hunting I recommend starting out with WebGoat or Damn Vulnerable WebApp (DVWA). This is because it frames each vulnerability nicely, you just have to point and shoot. You can practice exploitation, and working with a real vulnerability. "The shooting range"
There are real applications that where intentionally written to be insecure (Like the Hacme series, which is under SASS Tools). The Dojo has a collection of these apps loaded onto a VM as well as tools to audit them. This is really the 2nd step because now you have to find where to shoot. "Hunting on the farm"
The 3rd step is going out and finding a real application. Search github/sourceforge/bitbucket/ect for web applications that are less than a year old and aren't that popular. These apps will vary, but most often then will be very insecure. "Hunting in the wild"
After that start working your way up to more popular applications, get CVE numbers, write exploit code, and explore newly developed exploitation techniques: exploit-db.com . "It gets more wild..."
Check out Stanford SecuriBench. It is a collection of open-source Java web applications that have had a variety of vulnerabilities, and which were used in some previous research papers to evaluate research tools. The collection is old (2005?) but it might still be useful for your purposes.
The benchmark includes both artificial applications that were designed to showcase some vulnerabilities (like WebGoat), as well as some realistic applications that were taken from real life and are not artificial. I think the latter is probably more useful for evaluation of tools, as they are more likely to be representative of coding patterns in real applications.