Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

hvqzao/java-deserialize-webapp

BranchesTags
Open more actions menu

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.settings
.settings
 
 
src/main
src/main
 
 
target
target
 
 
.classpath
.classpath
 
 
.project
.project
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pom.xml
pom.xml
 
 

Repository files navigation

java-deserialize-webapp

This application will attempt to java deserialize user provided input. commons-collections4:4.0 is on classpath and it can be used for playing around with exploitation.

deserialize

Building

(already done)

mvn clean package

Running

By default, application binds to 0.0.0.0:8000 (to bind to localhost, edit src/main/java/hvqzao/java/deserialize/webapp/embedded/Server.java file and rebuild the project).

Linux:

git clone https://github.com/hvqzao/java-deserialize-webapp
cd java-deserialize-webapp
sh target/bin/webapp

Windows:

git clone https://github.com/hvqzao/java-deserialize-webapp
cd java-deserialize-webapp
start target/bin/webapp.bat

Example attack

java -jar ysoserial-0.0.4-all.jar CommonsCollections4 'shell command...' | base64 | tr -d "\n"

Payload must also be properly url-encoded.

License

MIT License

About

Vulnerable webapp testbed

Topics

java-webapp intentionally-vulnerable deserialization-vulnerability

Resources

Readme

License

MIT license
Activity

Stars

23 stars

Watchers

1 watching

Forks

10 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages
Morty Proxy This is a proxified and sanitized view of the page, visit original site.