Replace XSS/SSTI/messaging modules with Kotlin coroutine SSRF proxy

Author: misonijnik

README.md

@@ -20,7 +20,7 @@ Intentionally vulnerable patterns, grouped by category:
 
 **Cross-endpoint persistence**: taint flow through JPA save/load cycle, inter-procedural getter through DI-resolved `@Service`, column-level sensitivity, field-level sanitization in entity constructor, `@Service` field state across requests, mid-flow sanitizer
 
-**Async coroutines**: user-controlled URL through Kotlin coroutine scope
+**Async coroutines (SSRF)**: user-controlled URL fetched via `URI.toURL().openConnection()` inside a Kotlin `CoroutineScope.launch` on `Dispatchers.IO`, with taint flowing through a data-class DTO and a `CompletableDeferred` bridge
 
 ## Tech Stack
 

build.gradle.kts

@@ -24,6 +24,7 @@ dependencies {
     implementation("org.springframework.boot:spring-boot-starter-data-jpa")
     implementation("org.freemarker:freemarker:2.3.33")
     implementation("commons-io:commons-io:2.17.0")
+    implementation("org.jetbrains.kotlin:kotlin-reflect")
     implementation("org.jetbrains.kotlinx:kotlinx-coroutines-core:1.8.1")
     runtimeOnly("com.h2database:h2")
     testImplementation("org.springframework.boot:spring-boot-starter-test")

src/main/java/org/seqra/Main.java

@@ -5,9 +5,9 @@
 import org.springframework.boot.autoconfigure.domain.EntityScan;
 import org.springframework.data.jpa.repository.config.EnableJpaRepositories;
 
-@SpringBootApplication(scanBasePackages = {"org.seqra", "org.spring"})
-@EntityScan("org.spring.persistence")
-@EnableJpaRepositories("org.spring.persistence")
+@SpringBootApplication(scanBasePackages = "org.seqra")
+@EntityScan("org.seqra.spring.persistence")
+@EnableJpaRepositories("org.seqra.spring.persistence")
 public class Main {
     public static void main(String[] args) {
         SpringApplication.run(Main.class, args);