Lab: Modifying serialized data types | Portswigger

Web security academy

Lab description

This lab uses a serialization-based session mechanism and is vulnerable to authentication bypass as a result. To solve the lab, edit the serialized object in the session cookie to access the administrator account. Then, delete Carlos.

Access the lab

  • Login with your credentials [ wiener : peter ]
  • In Burp, open the post-login GET /my-account request and examine the session cookie using the Inspector to reveal a serialized PHP object. Send this request to Burp Repeater.
  • Decode it as URL then as base64
deserialization format
  • In Burp Repeater, use the Inspector panel to modify the session cookie as follows:
  • Update the length of the username attribute to 13.
  • Change the username to administrator.
  • Change the access token to the integer 0. As this is no longer a string, you also need to remove the double-quotes surrounding the value.
  • Update the data type label for the access token by replacing s with i.
Modifying data types
  • Encode it as base64 first
  • Then encode it as url
  • Copy this url encoding format and paste it in Cookie (inspector) and refresh the page
  • Wow , i got to access admin panel ans have the permission to delete any user.
access admin panel

Second method

While solving the lab , i made an error in session format it was an internal server error and the server leaked all tokens which stored in the system.

Internal server error
$access_tokens = [z95mls52t3l8efgp85tfl1aalg54hyg9, gjv08qeybgi7kisid7dsen67zsdj0vbc, f7cfcxeq2ya3wgxm5jdwsthlmvstnfuh]
  • I tried this token : z95mls52t3l8efgp85tfl1aalg54hyg9
  • Then i changed the token value as the following format
  • I changed token to the last one : gjv08qeybgi7kisid7dsen67zsdj0vbc
admin panel
  • So, i changed the length of username character from 13 to 6
  • I changed the value of username from administrator to carlos as the following format
  • I changed the token with the last one.
account takeover



Cyber security engineer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store