Added checking for insecure deserialisation to WebGoat shell script.

marek-trtik · Owen Jones · commit ef098eeb5748 · 2018-08-17T15:19:47.000+01:00
diff --git a/benchmarks/GENUINE/WebGoat.sh b/benchmarks/GENUINE/WebGoat.sh
@@ -8,7 +8,8 @@ fi
 # Two sets of lessons which work depending on which rules file to use
 LESSONS_WHICH_WORK_SQL='SqlInjectionLesson5a SqlInjectionLesson5b SqlInjectionLesson6a SqlInjectionLesson12a SqlInjectionChallenge Assignment5 Assignment6 SimpleXXE BlindSendFileAssignment'
 LESSONS_WHICH_WORK_XSS='CrossSiteScriptingLesson5a'
-LESSONS_WHICH_DO_NOT_WORK='Assignment3 ContentTypeAssignment VulnerableComponentsLesson MissingFunctionACUsers'
+LESSONS_WHICH_WORK_IDES='VulnerableComponentsLesson'
+LESSONS_WHICH_DO_NOT_WORK='Assignment3 ContentTypeAssignment MissingFunctionACUsers'
 
 # Stop script if a command does not succeed
 set -e
@@ -90,3 +91,21 @@ do
 	mv ${OUTPUT_DIR}/WebGoat/${LESSON}/results/* ${OUTPUT_DIR}/WebGoat/results
 	rm -rf ${OUTPUT_DIR}/WebGoat/${LESSON}
 done
+
+for LESSON in $LESSONS_WHICH_WORK_IDES
+do
+	python3 $SCRIPT_DIR/../../driver/run.py \
+	-C $SCRIPT_DIR/WebGoatRulesIDES.json \
+	-I $DEPLOY_DIR \
+	-L $DEPLOY_DIR \
+	-R $OUTPUT_DIR/WebGoat/${LESSON}/results \
+	-T $OUTPUT_DIR/WebGoat/${LESSON}/temp \
+	--name WebGoat \
+	--use-models-library \
+	--timeout 10000000  --verbosity 9 --rebuild \
+	--do-not-use-precise-access-paths \
+	--entry-point Main.$LESSON
+
+	mv ${OUTPUT_DIR}/WebGoat/${LESSON}/results/* ${OUTPUT_DIR}/WebGoat/results
+	rm -rf ${OUTPUT_DIR}/WebGoat/${LESSON}
+done
