Added lesson texts

2018-05-22 10:24:34 +02:00 · 2018-05-22 10:24:34 +02:00 · 93d6d0e6b7
commit 93d6d0e6b7
parent 84860e65f6
6 changed files with 94 additions and 9 deletions
--- a/webgoat-lessons/insecure-deserialization/src/main/resources/html/InsecureDeserialization.html
+++ b/webgoat-lessons/insecure-deserialization/src/main/resources/html/InsecureDeserialization.html
@ -3,12 +3,21 @@
 <html xmlns:th="http://www.thymeleaf.org">

    <div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-        <!-- include content here. Content will be presented via asciidocs files,
-        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
        <div class="adoc-content" th:replace="doc:InsecureDeserialization_Intro.adoc"></div>
    </div>

+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:InsecureDeserialization_WhatIs.adoc"></div>
+    </div>
+
+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:InsecureDeserialization_SimpleExploit.adoc"></div>
+    </div>
+
+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:InsecureDeserialization_GadgetChain.adoc"></div>
+    </div>
+
    <div class="lesson-page-wrapper">
        <!-- stripped down without extra comments -->
        <div class="adoc-content" th:replace="doc:InsecureDeserialization_Task.adoc"></div>
--- a/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_GadgetChain.adoc
+++ b/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_GadgetChain.adoc
@ -0,0 +1,5 @@
+== What is a Gadgets Chain
+
+It is weird (but it could happen) to find a gadget that runs dangerous actions itself when is deserialized. However, it is much easier to find a gadget that runs action on other gadget when it is deserializaded, and that second gadget runs more actions on a third gadget, and so on until a real dangerous action is triggered. That set of gadgets that can be used in a deserialization process to achieve dangerous actions is called "Gadget Chain".
+
+Finding gadgets to build gadget chains is an active topic for security researchers. This kind of research usually requires to spend a big amount of time reading code.
--- a/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_Intro.adoc
+++ b/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_Intro.adoc
@ -1,7 +1,10 @@

 == Concept
-Encryption is a very inportant tool for secure communication. In this lesson, we will find out, why it should always be employed when sending sensitive data.
+
+This lesson describes what is Serialization and how it can be manipulated to perform tasks that were not the original intent of the developer.

 == Goals
-* The user should have a basic understanding of packet sniffer usage
-* The user will be able to intercept and read an unencrypted requests
+* The user should have a basic understanding of Java programming language
+* The user will be able to detect insecure deserialization vulnerabilities
+* The user will be able to exploit insecure deserialization vulnerabilities
+* Exploiting deserialization is slightly different in other programming languages such as PHP or Python, but the key concepts learnt here also applies to all of them
--- a/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_SimpleExploit.adoc
+++ b/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_SimpleExploit.adoc
@ -0,0 +1,46 @@
+== The Simplest Exploit
+
+=== Vulnerable code
+
+The following is a well-known example for a Java Deserialization vulnerability.
+
+[source,java]
+----
+InputStream is = request.getInputStream();
+ObjectInputStream ois = new ObjectInputStream(is);
+AcmeObject acme = (AcmeObject)ois.readObject();
+----
+
+It is expecting an `AcmeObject` object, but it will execute `readObject()` before the casting ocurs.
+If an attacker finds the proper class implementing dangerous operations in `readObject()`, he could serialize that object and force the vulnerable application to performe those actions.
+
+=== Class included in ClassPath
+
+Attackers need to find a class in the classpath that supports serialization and with dangerous implementations on `readObject()`.
+
+[source,java]
+----
+public class GadgetObject implements Serializable {
+    String cmd;
+
+    private void readObject( ObjectInputStream stream ) throws Exception {
+        Runtime.getRuntime().exec(cmd);
+    }
+}
+----
+
+=== Exploit
+
+If the java class shown above exists, attackers can serialize that object and obtain Remote Code Execution.
+
+[source,java]
+----
+GadgetObject go = new GadgetObject();
+go.cmd = "touch /tmp/pwned.txt";
+
+ByteArrayOutputStream bos = new ByteArrayOutputStream();
+ObjectOutputStream oos = new ObjectOutputStream(bos);
+oos.writeObject(go);
+oos.flush();
+byte[] exploit = bos.toByteArray();
+----
--- a/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_Task.adoc
+++ b/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_Task.adoc
@ -1,9 +1,8 @@
 === Let's try
-Click the "log in" button to send a request containing login credentials of another user.
+The following input box receives a serialized object (a string) and it deserialzes it.

 ```
 rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l
 ```

-Then, write these credentials into the appropriate fields and submit to confirm.
-Try using a packet sniffer to intercept the request.
+Try to change this serialized object in order to delay the page response for exactly 5 seconds.
--- a/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_WhatIs.adoc
+++ b/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_WhatIs.adoc
@ -0,0 +1,23 @@
+== What is Serialization
+
+Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process taking data structured from some format, and rebuilding it into an object. Today, the most popular data format for serializing data is JSON. Before that, it was XML.
+
+----
+a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user"; i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
+----
+
+=== Native Serialization
+
+Many programming languages offer a native capability for serializing objects. These native formats usually offer more features than JSON or XML, including customizability of the serialization process. Unfortunately, the features of these native deserialization mechanisms can be repurposed for malicious effect when operating on untrusted data. Attacks against deserializers have been found to allow denial-of-service, access control, and remote code execution attacks.
+
+=== Known Affected Programming Languages
+* PHP
+* Python
+* Ruby
+* Java
+* C
+* C++
+
+=== Data, not Code
+
+ONLY data is serialized. Code is not serialized itself. Deserialization creates a new object and copies all the data from the byte stream, in order to obtain and object identical to the object that was serialized.