Blog | G5 Cyber Security

Webgoat Deserialization: Hint Guide

G5 Cyber Security

TL;DR

This guide provides hints to help you solve the Deserialization exercise in Webgoat 8. The goal is to exploit a Java deserialization vulnerability.

Solution

  1. Understand the Vulnerability: This exercise focuses on exploiting insecure deserialization in Java. Deserialization takes data (usually from a file or network) and turns it back into an object. If not handled carefully, malicious code can be embedded within that data and executed when it’s reconstructed.
  2. Inspect the Code: Look at the source code of the Webgoat application for this exercise. Pay close attention to where user input is being deserialized. Specifically, examine the DeserializeServlet class.
  3. Identify the Deserialization Point: The vulnerable part of the code takes a serialized Java object as input and attempts to deserialize it using ObjectInputStream. The key line will likely involve something like: 
    ObjectInputStream ois = new ObjectInputStream(request.getInputStream());
Object obj = ois.readObject();
  4. Find a Gadget: A ‘gadget’ is a chain of code that, when triggered during deserialization, allows you to execute arbitrary commands. You need to find a class within the Webgoat application (or its dependencies) that has methods which can be chained together to achieve your goal.
    • Useful Classes: Look for classes with methods like exec(), Runtime.getRuntime().exec() or similar command execution functions.
    • ysoserial: The ysoserial project is a valuable resource. It provides pre-built payloads (gadgets) for various Java frameworks and libraries. While you don’t need to use ysoserial directly in Webgoat, it can help you understand how deserialization exploits work and identify potential gadgets.
  5. Create a Payload: Once you’ve identified a gadget, you need to create a serialized Java object that triggers the execution of your desired command. This is often done using a tool or custom code.
    • Serialization Tools: You can use tools like fastjsonexploit (although this exercise doesn’t directly involve fastjson, the serialization concepts are similar) or write Java code to serialize your object.
    • Example Payload Structure: The payload will need to instantiate the class containing the gadget and set its properties in a way that causes it to execute your command when deserialized. The exact structure depends on the chosen gadget.
  6. Send the Payload: Send the serialized object as part of an HTTP request to the Webgoat application’s endpoint (usually via POST). Use a tool like Burp Suite or curl to craft and send the request.
    • Content-Type: Ensure your request includes the correct Content-Type header, typically application/octet-stream for serialized Java objects.
    • Example Curl Command: (Replace <payload> with your actual serialized payload) 
      curl -X POST -H "Content-Type: application/octet-stream" -d '<payload>' http://localhost:8080/WebGoat/DeserializeServlet
  7. Verify Execution: If the exploit is successful, your command should be executed on the server. The exercise typically provides a way to verify execution (e.g., by checking for a specific file creation or output in the logs).
  8. Debugging Tips:
    • Logging: Enable detailed logging in Webgoat to see what’s happening during deserialization.
    • Java Debugger: Use a Java debugger (like IntelliJ IDEA’s) to step through the code and understand how the object is being reconstructed.
Exit mobile version