Hardened XStream with a converter to prevent exploitation

erosiec · Dec 9, 2024 · 00d5438 · 00d5438
1 parent b67eb44
commit 00d5438
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 0 deletions.
diff --git a/pom.xml b/pom.xml
@@ -149,6 +149,7 @@
     <xstream.version>1.4.5</xstream.version>
     <!-- do not update necessary for lesson -->
     <zxcvbn.version>1.8.0</zxcvbn.version>
+    <versions.java-security-toolkit-xstream>1.0.2</versions.java-security-toolkit-xstream>
   </properties>
 
   <dependencyManagement>
@@ -267,6 +268,11 @@
         <artifactId>jruby</artifactId>
         <version>9.4.3.0</version>
       </dependency>
+      <dependency>
+        <groupId>io.github.pixee</groupId>
+        <artifactId>java-security-toolkit-xstream</artifactId>
+        <version>${versions.java-security-toolkit-xstream}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
   <dependencies>
@@ -444,6 +450,10 @@
       <artifactId>spring-boot-properties-migrator</artifactId>
       <scope>runtime</scope>
     </dependency>
+    <dependency>
+      <groupId>io.github.pixee</groupId>
+      <artifactId>java-security-toolkit-xstream</artifactId>
+    </dependency>
   </dependencies>
 
   <repositories>

diff --git a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java
@@ -23,6 +23,7 @@
 package org.owasp.webgoat.lessons.vulnerablecomponents;
 
 import com.thoughtworks.xstream.XStream;
+import io.github.pixee.security.xstream.HardeningConverter;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -39,6 +40,7 @@ public class VulnerableComponentsLesson extends AssignmentEndpoint {
   @PostMapping("/VulnerableComponents/attack1")
   public @ResponseBody AttackResult completed(@RequestParam String payload) {
     XStream xstream = new XStream();
+    xstream.registerConverter(new HardeningConverter());
     xstream.setClassLoader(Contact.class.getClassLoader());
     xstream.alias("contact", ContactImpl.class);
     xstream.ignoreUnknownElements();

diff --git a/...t/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLessonTest.java b/...t/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLessonTest.java
@@ -22,6 +22,7 @@
 
 package org.owasp.webgoat.lessons.vulnerablecomponents;
 
+import io.github.pixee.security.xstream.HardeningConverter;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
@@ -49,6 +50,7 @@ public class VulnerableComponentsLessonTest {
   @Test
   public void testTransformation() throws Exception {
     XStream xstream = new XStream();
+    xstream.registerConverter(new HardeningConverter());
     xstream.setClassLoader(Contact.class.getClassLoader());
     xstream.alias("contact", ContactImpl.class);
     xstream.ignoreUnknownElements();
@@ -59,6 +61,7 @@ public void testTransformation() throws Exception {
   @Disabled
   public void testIllegalTransformation() throws Exception {
     XStream xstream = new XStream();
+    xstream.registerConverter(new HardeningConverter());
     xstream.setClassLoader(Contact.class.getClassLoader());
     xstream.alias("contact", ContactImpl.class);
     xstream.ignoreUnknownElements();
@@ -72,6 +75,7 @@ public void testIllegalTransformation() throws Exception {
   @Test
   public void testIllegalPayload() throws Exception {
     XStream xstream = new XStream();
+    xstream.registerConverter(new HardeningConverter());
     xstream.setClassLoader(Contact.class.getClassLoader());
     xstream.alias("contact", ContactImpl.class);
     xstream.ignoreUnknownElements();