With the continuous advancement of technology, web systems have become increasingly prevalent, and the functionalities of web systems have also become more complex, leading to the emergence of more vulnerabilities and security threats. Since the development of web systems involves the use of numerous libraries for coding, the existence of defective or exploitable functions in these libraries can result in system vulnerabilities. In OWASP TOP 10: 2021, insecure deserialization is classified as A8. Current black-box testing, may not necessarily uncover deserialization vulnerabilities, requiring a manual review to prevent the occurrence of such vulnerabilities. White-box testing is one of the primary methods in web penetration testing. Through source code analysis, penetration testers identify weaknesses in the target web application. They then develop attack code to perform penetration testing attacks on the web application, subsequently patching any identified vulnerabilities.
Based on this issue, this study designs a Java web system to build a deserialization vulnerability and utilizes well-known vulnerability scanning tools for black-box testing. After testing, no exploitable vulnerabilities were discovered. Subsequently, white-box testing is conducted to examine the source code, identifying web vulnerabilities. Attack code is developed to demonstrate deserialization attack methods, thereby gaining administrator privileges in the web system. Through this approach, the significance of white-box testing is highlighted.