deserialization made solvable again (#673)

* first objects and unit tests for making a fix for the lesson * example added * unit test for windows and linux * added unit tests hints and feedbacks and updated lesson pages * small typo correction
2019-10-02 08:26:48 +02:00
parent 6c14f4987c
commit 7536770769
8 changed files with 330 additions and 24 deletions
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/DeserializationTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/DeserializationTest.java
@ -0,0 +1,34 @@
+package org.owasp.webgoat;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.dummy.insecure.framework.VulnerableTaskHolder;
+import org.junit.Test;
+import org.owasp.webgoat.deserialization.SerializationHelper;
+
+public class DeserializationTest extends IntegrationTest {
+
+	private static String OS = System.getProperty("os.name").toLowerCase();
+    
+    @Test
+    public void runTests() throws IOException {
+        startLesson("InsecureDeserialization");
+        
+        Map<String, Object> params = new HashMap<>();
+        params.clear();
+                
+        if (OS.indexOf("win")>-1) {
+        	params.put("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "ping localhost -n 5")));
+        } else {
+            params.put("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "sleep 5")));
+        }
+        checkAssignment(url("/WebGoat/InsecureDeserialization/task"),params,true);
+        
+        checkResults("/InsecureDeserialization/");
+    
+    }
+    
+    
+}