deserialization made solvable again (#673)

* first objects and unit tests for making a fix for the lesson

* example added

* unit test for windows and linux

* added unit tests hints and feedbacks and updated lesson pages

* small typo correction

webgoat-lessons/insecure-deserialization/src/main/resources/i18n/WebGoatLabels.properties

@@ -1,4 +1,14 @@
 insecure-deserialization.title=Insecure Deserialization
 
 insecure-deserialization.intercept.success=Dangerous object received!
-insecure-deserialization.intercept.failure=Try again
+insecure-deserialization.intercept.failure=Try again
+
+insecure-deserialization.invalidversion=The serialization id does not match. Probably the version has been updated. Let's try again.
+insecure-deserialization.expired=The task is not executable between now and the next ten minutes, so the action will be ignored. Maybe you copied an old solution? Let's try again.
+insecure-deserialization.wrongobject=That is not the VulnerableTaskHolder object. Good try! because the code is not checking this after running the readObject(). Let's try again with the right object.
+insecure-deserialization.stringobject=That is not the VulnerableTaskHolder object. However a plain String is harmless. Let's try again with the right object.
+
+
+insecure-deserialization.hints.1=WebGoat probably contains the org.dummy.insecure.framework.VulnerableTaskHolder class as shown on the lesson pages. Use this to construct and serialize your attack.
+insecure-deserialization.hints.2=The VulnerableTaskHolder might have been updated on the server with a next version number.
+insecure-deserialization.hints.3=Not all actions are allowed anymore. The readObject has been changed. For serializing it does not effect the data. Follow the additional hints from the feedback on your attempts.

webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_SimpleExploit.adoc

@@ -20,12 +20,37 @@ Attackers need to find a class in the classpath that supports serialization and
 
 [source,java]
 ----
-public class GadgetObject implements Serializable {
-    String cmd;
+package org.dummy.insecure.framework;
 
-    private void readObject( ObjectInputStream stream ) throws Exception {
-        Runtime.getRuntime().exec(cmd);
-    }
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.ObjectInputStream;
+import java.io.Serializable;
+import java.time.LocalDateTime;
+
+public class VulnerableTaskHolder implements Serializable {
+
+	private static final long serialVersionUID = 1;
+
+	private String taskName;
+	private String taskAction;
+	private LocalDateTime requestedExecutionTime;
+	
+	public VulnerableTaskHolder(String taskName, String taskAction) {
+		super();
+		this.taskName = taskName;
+		this.taskAction = taskAction;
+		this.requestedExecutionTime = LocalDateTime.now();
+	}
+
+	private void readObject( ObjectInputStream stream ) throws Exception {
+        //deserialize data so taskName and taskAction are available
+		stream.defaultReadObject();
+		
+		//blindly run some code. #code injection
+		Runtime.getRuntime().exec(taskAction);
+     }
 }
 ----
 
@@ -35,8 +60,7 @@ If the java class shown above exists, attackers can serialize that object and ob
 
 [source,java]
 ----
-GadgetObject go = new GadgetObject();
-go.cmd = "touch /tmp/pwned.txt";
+VulnerableTaskHolder go = new VulnerableTaskHolder("delete all", "rm -rf somefile");
 
 ByteArrayOutputStream bos = new ByteArrayOutputStream();
 ObjectOutputStream oos = new ObjectOutputStream(bos);