From 84860e65f6c1f5d13ddc53b0f85129eb0b8459af Mon Sep 17 00:00:00 2001
From: Jose Selvi <jselvi@pentester.es>
Date: Wed, 16 May 2018 17:35:03 +0200
Subject: [PATCH] Insecure Deserialization exercise

---
 .../org/owasp/webgoat/lessons/Category.java   |  1 +
 .../insecure-deserialization/pom.xml          | 34 +++++++
 .../plugin/InsecureDeserialization.java       | 63 +++++++++++++
 .../plugin/InsecureDeserializationTask.java   | 90 +++++++++++++++++++
 .../html/InsecureDeserialization.html         | 32 +++++++
 .../resources/i18n/WebGoatLabels.properties   |  4 +
 .../src/main/resources/js/credentials.js      |  6 ++
 .../en/InsecureDeserialization_Intro.adoc     |  7 ++
 .../en/InsecureDeserialization_Task.adoc      |  9 ++
 webgoat-lessons/pom.xml                       |  1 +
 webgoat-server/pom.xml                        |  5 ++
 11 files changed, 252 insertions(+)
 create mode 100755 webgoat-lessons/insecure-deserialization/pom.xml
 create mode 100755 webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/plugin/InsecureDeserialization.java
 create mode 100755 webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/plugin/InsecureDeserializationTask.java
 create mode 100755 webgoat-lessons/insecure-deserialization/src/main/resources/html/InsecureDeserialization.html
 create mode 100755 webgoat-lessons/insecure-deserialization/src/main/resources/i18n/WebGoatLabels.properties
 create mode 100755 webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
 create mode 100755 webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_Intro.adoc
 create mode 100755 webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_Task.adoc

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java
index 2b25b698e2..bdef4d39e1 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java
@@ -46,6 +46,7 @@ public enum Category {
     INSECURE_CONFIGURATION("Insecure Configuration", new Integer(600)),
     INSECURE_COMMUNICATION("Insecure Communication", new Integer(700)),
     INSECURE_STORAGE("Insecure Storage", new Integer(800)),
+    INSECURE_DESERIALIZATION("Insecure Deserialization", new Integer(850)),
     REQUEST_FORGERIES("Request Forgeries", new Integer(900)),
     VULNERABLE_COMPONENTS("Vulnerable Components - A9", new Integer(950)),
     AJAX_SECURITY("AJAX Security", new Integer(1000)),
diff --git a/webgoat-lessons/insecure-deserialization/pom.xml b/webgoat-lessons/insecure-deserialization/pom.xml
new file mode 100755
index 0000000000..0c7e172d1a
--- /dev/null
+++ b/webgoat-lessons/insecure-deserialization/pom.xml
@@ -0,0 +1,34 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>insecure-deserialization</artifactId>
+    <packaging>jar</packaging>
+    <parent>
+        <groupId>org.owasp.webgoat.lesson</groupId>
+        <artifactId>webgoat-lessons-parent</artifactId>
+        <version>8.0.0.M3</version>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-test</artifactId>
+            <version>4.1.3.RELEASE</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>${junit.version}</version>
+            <type>jar</type>
+            <scope>test</scope>
+        </dependency>
+
+    </dependencies>
+
+</project>
diff --git a/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/plugin/InsecureDeserialization.java b/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/plugin/InsecureDeserialization.java
new file mode 100755
index 0000000000..a992b6de62
--- /dev/null
+++ b/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/plugin/InsecureDeserialization.java
@@ -0,0 +1,63 @@
+package org.owasp.webgoat.plugin;
+
+import com.beust.jcommander.internal.Lists;
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.NewLesson;
+
+import java.util.List;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since October 12, 2016
+ */
+public class InsecureDeserialization extends NewLesson {
+    @Override
+    public Category getDefaultCategory() {
+        return Category.INSECURE_DESERIALIZATION;
+    }
+
+    @Override
+    public List<String> getHints() {
+        return Lists.newArrayList();
+    }
+
+    @Override
+    public Integer getDefaultRanking() {
+        return 1;
+    }
+
+    @Override
+    public String getTitle() {
+        return "insecure-deserialization.title";
+    }
+
+    @Override
+    public String getId() {
+        return "InsecureDeserialization";
+    }
+}
diff --git a/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/plugin/InsecureDeserializationTask.java b/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/plugin/InsecureDeserializationTask.java
new file mode 100755
index 0000000000..39558864a5
--- /dev/null
+++ b/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/plugin/InsecureDeserializationTask.java
@@ -0,0 +1,90 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.ByteArrayInputStream;
+import java.util.Base64;
+
+/**
+ * *************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
+ * For details, please see http://webgoat.github.io
+ *
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 28, 2003
+ */
+@AssignmentPath("/InsecureDeserialization/task")
+public class InsecureDeserializationTask extends AssignmentEndpoint {
+
+    @RequestMapping(method = RequestMethod.POST)
+    public
+    @ResponseBody
+    AttackResult completed(@RequestParam String token) throws IOException {
+        String b64token;
+        byte [] data;
+        ObjectInputStream ois;
+        Object o;
+        long before, after;
+        int delay;
+
+        b64token = token.replace('-', '+').replace('_', '/');
+        try {
+            data = Base64.getDecoder().decode(b64token);
+            ois = new ObjectInputStream( new ByteArrayInputStream(data) );
+        } catch (Exception e) {
+            return trackProgress(failed().build());
+        }
+
+        before = System.currentTimeMillis();
+        try {
+            o = ois.readObject();
+        } catch (Exception e) {
+            o = null;
+        }
+        after = System.currentTimeMillis();
+        ois.close();
+
+        delay = (int)(after - before);
+        if ( delay > 7000 ) {
+            return trackProgress(failed().build());
+        }
+        if ( delay < 3000 ) {
+            return trackProgress(failed().build());
+        } 
+        return trackProgress(success().build());
+    }
+}
diff --git a/webgoat-lessons/insecure-deserialization/src/main/resources/html/InsecureDeserialization.html b/webgoat-lessons/insecure-deserialization/src/main/resources/html/InsecureDeserialization.html
new file mode 100755
index 0000000000..238a2a04f8
--- /dev/null
+++ b/webgoat-lessons/insecure-deserialization/src/main/resources/html/InsecureDeserialization.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+    <div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+        <div class="adoc-content" th:replace="doc:InsecureDeserialization_Intro.adoc"></div>
+    </div>
+
+    <div class="lesson-page-wrapper">
+        <!-- stripped down without extra comments -->
+        <div class="adoc-content" th:replace="doc:InsecureDeserialization_Task.adoc"></div>
+        <div class="attack-container">
+            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+            <script th:src="@{/lesson_js/credentials.js}"
+                    language="JavaScript"></script>
+            <form class="attack-form" accept-charset="UNKNOWN" name="task"
+                  method="POST"
+                  action="/WebGoat/InsecureDeserialization/task"
+                  enctype="application/json;charset=UTF-8">
+
+                <input type="textarea" rows="4" cols="40" value="" name="token" placeholder="token"/>
+                <input type="submit" value="Submit" />
+
+            </form>
+            <div class="attack-feedback"></div>
+            <div class="attack-output"></div>
+        </div>
+    </div>
+</html>
diff --git a/webgoat-lessons/insecure-deserialization/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/insecure-deserialization/src/main/resources/i18n/WebGoatLabels.properties
new file mode 100755
index 0000000000..53e252b67e
--- /dev/null
+++ b/webgoat-lessons/insecure-deserialization/src/main/resources/i18n/WebGoatLabels.properties
@@ -0,0 +1,4 @@
+insecure-deserialization.title=Insecure Deserialization
+
+insecure-deserialization.intercept.success=Dangerous object received!
+insecure-deserialization.intercept.failure=Try again
\ No newline at end of file
diff --git a/webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js b/webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
new file mode 100755
index 0000000000..b7387c6238
--- /dev/null
+++ b/webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
@@ -0,0 +1,6 @@
+function submit_secret_credentials() {
+    var xhttp = new XMLHttpRequest();
+    xhttp['open']('POST', '#attack/307/100', true);
+	//sending the request is obfuscated, to descourage js reading
+	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
+}
\ No newline at end of file
diff --git a/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_Intro.adoc b/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_Intro.adoc
new file mode 100755
index 0000000000..f4fac84711
--- /dev/null
+++ b/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_Intro.adoc
@@ -0,0 +1,7 @@
+
+== Concept
+Encryption is a very inportant tool for secure communication. In this lesson, we will find out, why it should always be employed when sending sensitive data.
+
+== Goals
+* The user should have a basic understanding of packet sniffer usage
+* The user will be able to intercept and read an unencrypted requests
\ No newline at end of file
diff --git a/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_Task.adoc b/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_Task.adoc
new file mode 100755
index 0000000000..c8ba418d77
--- /dev/null
+++ b/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_Task.adoc
@@ -0,0 +1,9 @@
+=== Let's try
+Click the "log in" button to send a request containing login credentials of another user.
+
+```
+rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l
+```
+
+Then, write these credentials into the appropriate fields and submit to confirm.
+Try using a packet sniffer to intercept the request.
diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml
index fb6c018615..63dca5f485 100644
--- a/webgoat-lessons/pom.xml
+++ b/webgoat-lessons/pom.xml
@@ -22,6 +22,7 @@
         <module>http-basics</module>
         <module>http-proxies</module>
         <module>insecure-login</module>
+        <module>insecure-deserialization</module>
         <module>jwt</module>
         <module>sql-injection</module>
         <module>xxe</module>
diff --git a/webgoat-server/pom.xml b/webgoat-server/pom.xml
index 483c3a0b61..5bd46135d8 100644
--- a/webgoat-server/pom.xml
+++ b/webgoat-server/pom.xml
@@ -145,6 +145,11 @@
             <artifactId>insecure-login</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.owasp.webgoat.lesson</groupId>
+            <artifactId>insecure-deserialization</artifactId>
+            <version>${project.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.owasp.webgoat.lesson</groupId>
             <artifactId>jwt</artifactId>