Code for veracode blog
To demonstrate the Code Execution,
- Build the project using maven
- Execute
python3 -m http.server 8080to run the http server - Run
exploit.java. You should observe a HTTP GET request on the server - To demonstrate how SnakeYAML 2.0 prevents the attack, comment out the 1.33 dependency in the
pom.xml - Uncomment the 2.0 dependency, then rebuild the project,
- Comment out
exploit.javaand uncommentPoc.java - Run
Poc.javaand observe no GET request