Recipe for demo

# Preparatory Steps (Only needs to be done once!)
-------------------------------------------------

1. Install Java 
-----------
(MAC) https://tejaksha-k.medium.com/a-step-by-step-guide-to-installing-java-on-macos-5188bfdf99d7
(WIN) https://www.java.com/download/ie_manual.jsp

2. Install Maven
-----------
(MAC) https://www.digitalocean.com/community/tutorials/install-maven-mac-os
(WIN) https://phoenixnap.com/kb/install-maven-windows

3. Install Git 
-----------
(MAC) https://git-scm.com/download/mac
(WIN) https://git-scm.com/download/win

4. Setup Github
------------
https://docs.github.com/en/get-started/onboarding/getting-started-with-your-github-account

5. Setup PreZero
-------------
https://docs.shiftleft.io/sast/getting-started/setup

Blog Reference
--------------
6. https://blog.shiftleft.io/java-deserialization-vulnerability-found-to-be-widespread-across-saas-vendor-sdks-8e7ec3dfc5fa

Project Preparation
-------------------

Download bait project
7. git clone https://github.com/conikeec/jackspoilt.git

8. `cd jackspoilt`

## compile and package 
9. mvn clean package

## verify if gadgets are avaliable to exploit (refer blog)
10. mvn dependency:tree

# (on a separate terminal) Start application server
11. java -jar target/jackspoilt-1.0-SNAPSHOT.jar

## Exploit preparation : Spin up another terminal

12. cd jackspoilt

# create the exploit by editing ./master/exploit/Exploit.java
# current version adds errros to log and spawns a calculator on OSX 
# (For Linux based OS please revise the line to specify an exploit of your choice)
# Modify here https://github.com/conikeec/jackspoilt/blob/master/exploit/Exploit.java#L13

13. 
For windows : `calc`
For mac: `open -a Calculator`

14.
# Compile the exploit 
# compile ./master/exploit/Exploit.java

15.
rm attackscripts/attack.json

16.
mvn exec:java -D"exec.mainClass"="EncodeExploit"

# The command above creates attack.json in the attackscripts directory (view it)

more attackscripts/attack.json

## Run the exploit

# Ensure that the service is running on the other terminal
# exercise the web routes 

17.
./add.sh
./list.sh

# This command will inject a malicious payload, trigger gadget chain and you should see the calculator
# (Edit exploit/Exploit.java to add your exploit command of choice)

18.
./exploit.sh

After step 18, kill the running java process by pressing `control-c` in the terminal

-- the section above has the base setup complete to prove exploit

19. In Step (5) you already setup an account and downloaded `sl` . Head here https://app.shiftleft.io/organization/overview 
    and copy over your organization_id and slack Gabe to enable AutoFix for your Org
    
20. If (5) and (19) is completed successfully, you should now be able to analze apps

21. Let's analyze the bait project using the following command
    `sl analyze --wait --javasrc --app jackspoilt --verbose --force --oss-project-dir /[YOUR_FOLDER]/jackspoilt /[YOUR_FOLDER]/jackspoilt`
    Replace [YOUR_FOLDER] with your absolute path (just `cd` to the project folder and type `pwd`)

22. The analysis will run in verboe mode and you should see detailed logs. Once complete head to the dashboard and 
    then click on the app, then search for any findings that say log_forging, deserialzation, etc and get into the details
    and to autofix tab. There should be a fix recommendation that alludes to replacing this line 
    `private static ObjectMapper deserializer = new ObjectMapper().enableDefaultTyping();` with 
    `private static ObjectMapper deserializer = new ObjectMapper();` here https://github.com/conikeec/jackspoilt/blob/master/src/main/java/io/shiftleft/jackspoilt/App.java#L22

23. After step (22), save the file and repeat step 9, 10, 11
    
24. The server is restarted

25. Repeat step 18 and now the calculator does not pop, which indicates that the fix worked

---

Adios