1. Web Security Academy
  2. Insecure deserialization
  3. Exploiting
  4. Lab

Lab: Exploiting Java deserialization with Apache Commons


This lab uses a serialization-based session mechanism and loads the Apache Commons Collections library. Although you don't have source code access, you can still exploit this lab using pre-built gadget chains.

To solve the lab, use a third-party tool to generate a malicious serialized object containing a remote code execution payload. Then, pass this object into the website to delete the morale.txt file from Carlos's home directory.

You can access your own account with the following credentials: wiener:peter

Try Burp Suite for Free

Find insecure deserialization vulnerabilities using Burp Suite

Try for free