Cycubix LTD
Insecure Deserialization (5) | Cycubix Docs

Let’s try

The following input box receives a serialized object (a string) and it deserializes it.
Try to change this serialized object in order to delay the page response for exactly 5 seconds.


WebGoat probably contains the org.dummy.insecure.framework.VulnerableTaskHolder class as shown on the lesson pages. Use this to construct and serialize your attack.
The VulnerableTaskHolder might have been updated on the server with the next version number.
Not all actions are allowed anymore. The readObject has been changed. For serializing it does not effect the data. Follow the additional hints from the feedback on your attempts.
The solution is serializing a VulnerableTaskHolder object created with parameters suitable for the system.
For Windows it will be something that keeps the system busy for 5 seconds, many people seem to choose to ping localhost: "ping localhost -n 5" will do nicely. For Linux, a "sleep 5" gets the job done.
Windows payload:
Linux payload:
Code to generate payload; you can run this method as a test.
public void createPayload() throws Exception {
VulnerableTaskHolder o = new VulnerableTaskHolder("namenotimportant", "sleep 5");
ByteArrayOutputStream baos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(baos);
Please note that this was only verified on a Windows machine and the Linux payload has been generated blindly.
Copy link