Some Examples of OSS Risk

Commons Collections

In November of 2015, the Apache Commons Collections component latest release was 8 years old. Commons Collections was considered a reliable and stable component. A researcher found a way to exploit a deserialization issue in Commons Collections resulting in a remote code execution. The next day…​ everyone using Commons Collections was in a panic.

Ref: Thousands of Java applications vulnerable to nine-month-old remote code execution exploit

Dinis Cruz and Alvaro Munoz exploit of XStream

XStream, a relatively common XML and JSON parsing library, has a nasty little remote code execution. Ref: Dinis Cruz Blog pwntester/XStreamPOC

You may want to read the article(s) before trying this lesson. Let’s see if you can figure out how to exploit this in WebGoat.