chore: add pre-commit hooks
chore: add pre-commit hooks chore: add pre-commit hooks chore: add pre-commit hooks chore: add pre-commit hooks
This commit is contained in:
Nanne Baars
Nanne Baars
@ -2,4 +2,4 @@
|
||||
|
||||
It is weird (but it could happen) to find a gadget that runs dangerous actions itself when is deserialized. However, it is much easier to find a gadget that runs action on other gadget when it is deserialized, and that second gadget runs more actions on a third gadget, and so on until a real dangerous action is triggered. That set of gadgets that can be used in a deserialization process to achieve dangerous actions is called "Gadget Chain".
|
||||
|
||||
Finding gadgets to build gadget chains is an active topic for security researchers. This kind of research usually requires to spend a big amount of time reading code.
|
||||
Finding gadgets to build gadget chains is an active topic for security researchers. This kind of research usually requires to spend a big amount of time reading code.
|
||||
|
||||
@ -7,4 +7,4 @@ This lesson describes what is Serialization and how it can be manipulated to per
|
||||
* The user should have a basic understanding of Java programming language
|
||||
* The user will be able to detect insecure deserialization vulnerabilities
|
||||
* The user will be able to exploit insecure deserialization vulnerabilities
|
||||
* Exploiting deserialization is slightly different in other programming languages such as PHP or Python, but the key concepts learnt here also applies to all of them
|
||||
* Exploiting deserialization is slightly different in other programming languages such as PHP or Python, but the key concepts learnt here also applies to all of them
|
||||
|
||||
@ -36,7 +36,7 @@ public class VulnerableTaskHolder implements Serializable {
|
||||
private String taskName;
|
||||
private String taskAction;
|
||||
private LocalDateTime requestedExecutionTime;
|
||||
|
||||
|
||||
public VulnerableTaskHolder(String taskName, String taskAction) {
|
||||
super();
|
||||
this.taskName = taskName;
|
||||
@ -47,7 +47,7 @@ public class VulnerableTaskHolder implements Serializable {
|
||||
private void readObject( ObjectInputStream stream ) throws Exception {
|
||||
//deserialize data so taskName and taskAction are available
|
||||
stream.defaultReadObject();
|
||||
|
||||
|
||||
//blindly run some code. #code injection
|
||||
Runtime.getRuntime().exec(taskAction);
|
||||
}
|
||||
@ -67,4 +67,4 @@ ObjectOutputStream oos = new ObjectOutputStream(bos);
|
||||
oos.writeObject(go);
|
||||
oos.flush();
|
||||
byte[] exploit = bos.toByteArray();
|
||||
----
|
||||
----
|
||||
|
||||
@ -5,4 +5,4 @@ The following input box receives a serialized object (a string) and it deseriali
|
||||
rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l
|
||||
```
|
||||
|
||||
Try to change this serialized object in order to delay the page response for exactly 5 seconds.
|
||||
Try to change this serialized object in order to delay the page response for exactly 5 seconds.
|
||||
|
||||
@ -20,4 +20,4 @@ Many programming languages offer a native capability for serializing objects. Th
|
||||
|
||||
=== Data, not Code
|
||||
|
||||
ONLY data is serialized. Code is not serialized itself. Deserialization creates a new object and copies all the data from the byte stream, in order to obtain and object identical to the object that was serialized.
|
||||
ONLY data is serialized. Code is not serialized itself. Deserialization creates a new object and copies all the data from the byte stream, in order to obtain and object identical to the object that was serialized.
|
||||
|
||||
@ -8,4 +8,4 @@ insecure-deserialization.stringobject=That is not the VulnerableTaskHolder objec
|
||||
|
||||
insecure-deserialization.hints.1=WebGoat probably contains the org.dummy.insecure.framework.VulnerableTaskHolder class as shown on the lesson pages. Use this to construct and serialize your attack.
|
||||
insecure-deserialization.hints.2=The VulnerableTaskHolder might have been updated on the server with a next version number.
|
||||
insecure-deserialization.hints.3=Not all actions are allowed anymore. The readObject has been changed. For serializing it does not effect the data. Follow the additional hints from the feedback on your attempts.
|
||||
insecure-deserialization.hints.3=Not all actions are allowed anymore. The readObject has been changed. For serializing it does not effect the data. Follow the additional hints from the feedback on your attempts.
|
||||
|
||||
Reference in New Issue
Block a user