WebGoat Insecure Deserialization 5

This has been a long one, I had to brush up on my Java, watch thehackerish video on deserialization https://youtu.be/5grJYo9IqY0 and bang my head on any hard surface I could find, but it was worth it!

First things first, it is imperative to read all the lessons on deserialization prior to this one and then everything you find on google/youtube until you have a clear understanding of what is insecure deserialization

Once all the studying is done, the first thing needed in order to create an exploit for WebGoat InsecureDeserializationTask.java is the source code itself, so let’s clone WebGoat GitHub repository somewhere on your system

git clone https://github.com/WebGoat/WebGoat.git

By going to WebGoat/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization you will find InsecureDeserializationTask.java

This piece of Java code is the endpoint used by WebGoat to check our token in order to complete this lesson, what it is expecting is a VulnerableTaskHolder object and then does checks to see if the serialized code is a timeout of 5 seconds as requested

To create a VulnerableTaskHolder object we can use WebGoat/webgoat-lessons/insecure-deserialization/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java but first we need to compile it

Just to be thorough, the Java version used for this solution is

openjdk version "11.0.8" 2020–07–14

To compile this class successfully I have commented out all the references to “lombok.extern.slf4j.Slf4j” as it is not needed, here is my code complete with comments

Another, simpler way, to achieve the same result would be to only keep class VulnerableTaskHolder and the needed class imports, you can do as you like

So let’s compile this class

javac VulnerableTaskHolder.java

Ok so now we need a piece of code that creates a VulnerableTaskHolder object with a “sleep 5” task in it, by searching online you can find some Java files that do this, I found the following two:

thehackerish WebGoat Deserialization POC

WebGoat GitHub POC

I have made a few modifications to thehackerish’s Attack.java file as I am not using an IDE here and I wanted to use just javac/java commands for both Attack.java and BuildExploit.java

Here’s my Attack.java file source code

The screenshot shows the two source files, their compiled class files, the org directory in this lesson’s source and the serial file as result of running Attack.class

Let’s compile the source files

javac Attack.java
javac BuildExploit.java

Running Attack.class creates serial file which needs to be converted to base64 by means of

cat serial | base64 -w0

Running BuildExploit.class instead outputs the token directly in base64 format

The two tokens shown here are not the same as they have not been created at the same time

Copy the token of your choice in the lessons form to complete the lesson

If you would like to discuss this solution with me feel free to drop a comment

This concludes WebGoat Insecure Deserialization 5

I hope you liked it.

PVXs — https://twitter.com/pivixih

Big thanks to thehackerish for the all the content he has put online, go check out his website and his channels if you are looking for good infosec learning material

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store